[dtrace-discuss] Re: Re: How to monitor any access to a specific file using drace

Brendan Gregg - Sun Microsystems brendan at sun.com
Tue Jan 23 00:49:46 PST 2007 

G'Day David,

On Mon, Jan 22, 2007 at 07:11:55PM -0800, David Chen wrote:
> Hi Brendan,
> Thanks a lot for your information.
> >From your mail, I understand that syscall provider can't fulfill my requirement even if I can get the full path name, since hardlink may be used, is that right?

By tracing syscall::link:entry, you can trace the creation of new hard links.
So long a the hard links were created after logging was enabled, you can
still try the syscall provider approach.

> As you suggested, can I monitor "any access" by vnode at the VFS layer?  How to do it and could you pls give some example?

While VFS is an option, I'd certainly try this from the syscall layer
first, by tracing at least:

   syscall::open*:entry
   syscall::link:entry
   syscall::unlink:entry

> It's a security monitoring as you said, I just record the "access events" and log them into a file ( I know it's amusing since "hacker" can easily delete his access log from the file, or even delete the log file, but it's the "requirement", :-(  ).

hackers/crackers will have a tough time modifying the log file if it were
owned and modifiable only as root; patched Solaris 10 is extreamly secure.
Even more secure if the cracker has only breached a Solaris Zone, and your
monitoring script is running from the global zone.

With security monitoring it is best to either do it properly, or, do the
best you can and let the powers that be know what the flaws are. If the
logs are ever needed for a security incident - then you want something
you can rely on.

> On the other hand, I'm quickly going through SunSHILED user guide, I see it can monitor any user's any action, but not sure if it can monitor "any access" to a file, any experience that you can share about setting it?

A while back I setup and helped setup BSM auditing (SunSHIELD) on several
systems - it is a powerful tool that can solve many security monitoring
needs. I remember being told that the log files were inscruitable to anyone
without a PhD in computer science -- but after spending some time
with the SunSHIELD manual, I found the log files weren't so bad at all.
They are very suitable for post processing in Perl.

If I get a chance I'll blog about how I like to configure BSM, and 
explain the roles of BSM and DTrace side by side...

no worries,

Brendan

-- 
Brendan
[CA, USA]

More information about the dtrace-discuss mailing list