> A user has asked us to find out who is changing one of their files and how it > is being changed. I came up > with the script below: [...] > syscall::open:entry, syscall::creat:entry, [...]
> Is this a good approach or is there a better one? It is good approach, but If I would like to be malicious hacker, I would use ln -s /etc/passwd /tmp/.bash_history cd /tmp echo "muahaha" > .bash_history And you would only see ".bash_history" being opened. You can avoid this trickery by going closer to the kernel, to the virtual filesystem layer. I hacked together quick script to demonstrate how (attached), but you'll find more examples in this mailinglist. > Occassionally the script produces errors that look like: > > dtrace: error on enabled probe ID 2 (ID 2521: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 28 > > Is this due to open being passed an argument by value instead of reference? > How can I modify the predicate to avoid this error message? Frankly ? I do not know :) Cheers -- Vlad
#!/usr/sbin/dtrace -s fop_open:entry /(*args[0])->v_path/ { printf("Open: %s", stringof((*args[0])->v_path)); } fop_create:entry { self->create=args[5]; } fop_create:return /self->create/ { printf("Create: %s", stringof(((*self->create)->v_path))); self->create=0; } fop_remove:entry { printf("Remove: %s/%s", stringof(args[0]->v_path), stringof(args[1])); } fop_mkdir:entry { printf("Mkdir: %s/%s", stringof(args[0]->v_path), stringof(args[1])); } fop_rmdir:entry { printf("Rmdir: %s/%s", stringof(args[0]->v_path), stringof(args[1])); } fop_rename:entry { printf("Rename: %s/%s -> %s/%s", stringof(args[0]->v_path), stringof(args[1]), stringof(args[2]->v_path), stringof(args[3])); }
pgpN8PMYiYRdh.pgp
Description: PGP signature
_______________________________________________ dtrace-discuss mailing list dtrace-discuss@opensolaris.org