> A user has asked us to find out who is changing one of their files and how it > is being changed. I came up > with the script below: [...] > syscall::open:entry, syscall::creat:entry, [...]
> Is this a good approach or is there a better one?
It is good approach, but If I would like to be malicious hacker, I would
use
ln -s /etc/passwd /tmp/.bash_history
cd /tmp
echo "muahaha" > .bash_history
And you would only see ".bash_history" being opened. You can avoid this
trickery by going closer to the kernel, to the virtual filesystem layer.
I hacked together quick script to demonstrate how (attached), but you'll
find more examples in this mailinglist.
> Occassionally the script produces errors that look like:
>
> dtrace: error on enabled probe ID 2 (ID 2521: syscall::open:entry):
> invalid address (0xff358000) in predicate at DIF offset 28
>
> Is this due to open being passed an argument by value instead of reference?
> How can I modify the predicate to avoid this error message?
Frankly ? I do not know :)
Cheers
--
Vlad
#!/usr/sbin/dtrace -s
fop_open:entry
/(*args[0])->v_path/
{
printf("Open: %s", stringof((*args[0])->v_path));
}
fop_create:entry
{
self->create=args[5];
}
fop_create:return
/self->create/
{
printf("Create: %s", stringof(((*self->create)->v_path)));
self->create=0;
}
fop_remove:entry
{
printf("Remove: %s/%s", stringof(args[0]->v_path), stringof(args[1]));
}
fop_mkdir:entry
{
printf("Mkdir: %s/%s", stringof(args[0]->v_path), stringof(args[1]));
}
fop_rmdir:entry
{
printf("Rmdir: %s/%s", stringof(args[0]->v_path), stringof(args[1]));
}
fop_rename:entry
{
printf("Rename: %s/%s -> %s/%s", stringof(args[0]->v_path),
stringof(args[1]), stringof(args[2]->v_path), stringof(args[3]));
}
pgpN8PMYiYRdh.pgp
Description: PGP signature
_______________________________________________ dtrace-discuss mailing list dtrace-discuss@opensolaris.org
