A user has asked us to find out who is changing one of their files and how it
is being changed. I came up
with the script below:
#!/usr/sbin/dtrace -s
#pragma D option quiet
BEGIN
{
printf("\n Timestamp gid uid pid ppid execname
function current directory file name\n\n");
}
syscall::open:entry, syscall::creat:entry,
syscall::open64:entry, syscall::creat64:entry,
syscall::unlink:entry, syscall::rename:entry
/strstr(stringof(copyinstr(arg0)), $1) != NULL/
{
printf("%Y %5d %5d %5d %5d %-12s %-10s %25s %s\n",
walltimestamp, gid, uid, pid, ppid, execname, probefunc,
cwd, stringof(copyinstr(arg0)));
}
The script is invoked with:
./lsfacc '"userfile"'
Is this a good approach or is there a better one?
Occassionally the script produces errors that look like:
dtrace: error on enabled probe ID 2 (ID 2521: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 28
Is this due to open being passed an argument by value instead of reference?
How can I modify the predicate to avoid this error message?
--
This message posted from opensolaris.org
_______________________________________________
dtrace-discuss mailing list
dtrace-discuss@opensolaris.org
