dtrace discuss - Feb 2011 - need dtrace script to monitor file writes

I''ve got a mystery process writing to my /etc/inet/hosts file.
I''d like to
find a dtrace script that can monitor the file and do a "ps -ef" or
equivalent to capture the process that''s writing to the file. 
I''m a dtrace
newbie, and was hoping someone here could point me in the right direction.
I''ve googled it and found some scripts that apply to zfs, this is just
ufs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20110207/73f056eb/attachment.html>

On Mon, Feb 7, 2011 at 18:37, G Hazel <geoffhazel at gmail.com>
wrote:
> I''ve got a mystery process writing to my /etc/inet/hosts file.
I''d like to
> find a dtrace script that can monitor the file and do a "ps -ef"
or
> equivalent to capture the process that''s writing to the file.?
I''m a dtrace
> newbie, and was hoping someone here could point me in the right direction.
> I''ve googled it and found some scripts that apply to zfs, this is
just ufs.
which fs is in use here should be irrelevant; I''d monitor the open and
write system calls, maybe starting with something like this (check the
details, I''m typing this from memory):

syscall::open:entry
/arg0 == "/etc/hosts" || arg0 == "/etc/inet/hosts" /  /*
also check
for "w" permission here */
{
     self->s = speculation();
     speculate(self->s);
     printf("%s opening hosts", execname);
}

/* do the same as above for openat() */
syscall::open:return
/self->s && arg1 == -1/ /* failure */
{
    discard(self->s)
    self->s = 0;
}

syscall::open:return
/self->s/
{
    commit(self->s);
     self->s = 0;
}

this should tell you who''s successfully opened /etc/inet/hosts

HTH
Michael
>
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org
>


-- 
regards/mit freundlichen Gr?ssen
Michael Schuster

The dtracetoolkit already has what you are looking for.  Try opensnoop 
-f /etc/inet/hosts

http://hub.opensolaris.org/bin/view/Community+Group+dtrace/dtracetoolkit

Dave

On 02/07/11 11:37, G Hazel wrote:
> I''ve got a mystery process writing to my /etc/inet/hosts file.
I''d
> like to find a dtrace script that can monitor the file and do a "ps 
> -ef" or equivalent to capture the process that''s writing to
the file.
> I''m a dtrace newbie, and was hoping someone here could point me in
the
> right direction.   I''ve googled it and found some scripts that
apply
> to zfs, this is just ufs.
> ------------------------------------------------------------------------
>
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20110207/08fb070e/attachment.html>

On Mon, Feb 7, 2011 at 11:47 AM, Michael Schuster
<michaelsprivate at gmail.com> wrote:
> which fs is in use here should be irrelevant; I''d monitor the open
and
> write system calls, maybe starting with something like this (check the
> details, I''m typing this from memory):
>
> syscall::open:entry
> /arg0 == "/etc/hosts" || arg0 == "/etc/inet/hosts" /
?/* also check
This won''t work.  You need to copyinstr() the argument, but aside from
that, DTrace probes run in DTrace context, which cannot page things
in.  If the argument is not paged in, then you can''t get it in
syscall::open:entry.  You can get it in syscall::open:return (though
that''s not reliable, since the application could have changed it), or
you can get it from the file descriptor''s vnode''s v_path,
though
that''s less portable.

Nico
--

> I''ve got a mystery process writing to my /etc/inet/hosts file.
I''d like to find a dtrace script that can monitor the file and do a
"ps -ef" or
> equivalent to capture the process that''s writing to > the
file.? I''m a dtrace newbie, and was hoping someone here could point me
in the right
> direction.?? I''ve googled it and found some scripts that apply to
zfs, this is just ufs.
If you just want to see writes to hosts you can try the fsinfo provider.

#pragma D option quiet

fsinfo:genunix::write /strstr(args[0]->fi_pathname,"hosts") !=
NULL/ {
        printf("%d %s %s\n", pid, execname, args[0]->fi_pathname)
}

This will work with either UFS or ZFS.  

Since its UFS the io:: provider could do something similar.

-Alex