1 Reply Latest reply on Jan 8, 2010 3:48 PM by 807559

    Getting parent pid execname

      I am modifying opensnoop to try to determine the script/executable that removes a file. How do I get access to the parent pid "PROCESS NAME". I know how to get the ppid, but what about it's name and args that it used.

      For example:
      ===== blah.sh ========

      rm /var/tmp/foobar

      In the "opensnoop", I have the function:
      { self->pathp = arg0 }

      { printf("Parent pid <%d>  unlinked the file %s done with %s command.", ppid, basename(copyinstr(self->pathp)), execname }

      WHICH WOULD OUTPUT: Parent pid 1234 unlinked the file foobar with rm command.

      How do I get the PPID information since I want to know that it was "blah.sh" that was the culprit behind removal of this file?