1 Reply Latest reply: Jan 8, 2010 9:48 AM by 807559 RSS

    Getting parent pid execname

    807559
      I am modifying opensnoop to try to determine the script/executable that removes a file. How do I get access to the parent pid "PROCESS NAME". I know how to get the ppid, but what about it's name and args that it used.

      For example:
      ===== blah.sh ========
      #!/bin/sh

      rm /var/tmp/foobar
      =============

      In the "opensnoop", I have the function:
      syscall::unlink:entry
      { self->pathp = arg0 }

      syscall::unlink:return
      { printf("Parent pid <%d>  unlinked the file %s done with %s command.", ppid, basename(copyinstr(self->pathp)), execname }

      WHICH WOULD OUTPUT: Parent pid 1234 unlinked the file foobar with rm command.

      How do I get the PPID information since I want to know that it was "blah.sh" that was the culprit behind removal of this file?


      Thanks,
      Sean