dtrace discuss - Apr 2008 - dtrace script to monitor file access

A user has asked us to find out who is changing one of their files and how it is
being changed. I came up
with the script below:


       #!/usr/sbin/dtrace -s

       #pragma D option quiet

       BEGIN
       {
              printf("\n   Timestamp           gid   uid   pid  ppid
execname     function           current directory file name\n\n");
       }

       syscall::open:entry,    syscall::creat:entry,
       syscall::open64:entry,  syscall::creat64:entry,
       syscall::unlink:entry,  syscall::rename:entry
       /strstr(stringof(copyinstr(arg0)), $1) != NULL/
       {
              printf("%Y %5d %5d %5d %5d %-12s %-10s %25s %s\n", 
                     walltimestamp, gid, uid, pid, ppid, execname, probefunc,
cwd, stringof(copyinstr(arg0)));
       }
    
The script is invoked with:

       ./lsfacc ''"userfile"''


Is this a good approach or is there a better one?

Occassionally the script produces errors that look like:

	dtrace: error on enabled probe ID 2 (ID 2521: syscall::open:entry): 
	invalid address (0xff358000) in predicate at DIF offset 28
    
Is this due to open being passed an argument by value instead of reference?
How can I modify the predicate to avoid this error message?


--
This message posted from opensolaris.org

> A user has asked us to find out who is changing one of their files and how
it is being changed. I came up
> with the script below:
[...]
>        syscall::open:entry,    syscall::creat:entry,
[...]

> Is this a good approach or is there a better one?
It is good approach, but If I would like to be malicious hacker, I would
use

ln -s /etc/passwd /tmp/.bash_history
cd /tmp
echo "muahaha" > .bash_history

And you would only see ".bash_history" being opened. You can avoid
this
trickery by going closer to the kernel, to the virtual filesystem layer.
I hacked together quick script to demonstrate how (attached), but
you''ll
find more examples in this mailinglist.
> Occassionally the script produces errors that look like:
> 
> 	dtrace: error on enabled probe ID 2 (ID 2521: syscall::open:entry): 
> 	invalid address (0xff358000) in predicate at DIF offset 28
>     
> Is this due to open being passed an argument by value instead of reference?
> How can I modify the predicate to avoid this error message?
Frankly ? I do not know :)

Cheers

-- 
	Vlad
-------------- next part --------------
#!/usr/sbin/dtrace -s


fop_open:entry
/(*args[0])->v_path/
{
	printf("Open: %s", stringof((*args[0])->v_path)); 
}

fop_create:entry
{
	self->create=args[5];
}

fop_create:return
/self->create/
{
	printf("Create: %s", stringof(((*self->create)->v_path)));
	self->create=0;
}

fop_remove:entry
{
	printf("Remove: %s/%s", stringof(args[0]->v_path),
stringof(args[1]));
}

fop_mkdir:entry
{
	printf("Mkdir: %s/%s", stringof(args[0]->v_path),
stringof(args[1]));
}

fop_rmdir:entry
{
	printf("Rmdir: %s/%s", stringof(args[0]->v_path),
stringof(args[1]));
}

fop_rename:entry
{
	printf("Rename: %s/%s -> %s/%s", stringof(args[0]->v_path),
stringof(args[1]), stringof(args[2]->v_path), stringof(args[3]));
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 193 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20080420/fc92cf0b/attachment.bin>