3 Replies Latest reply: Mar 15, 2011 5:41 AM by abrante RSS

    monitoring file changes

    736676
      Hello all,

      we have an issue on a "Solaris 10 10/08 s10s_u6wos_07b SPARC" machine - the /etc/passwd and /etc/shadow files become trashed (overwritten with lots of non-ASCII characters) at random intervals by an unknown process.
      So I've tried to trace the access to the file:

      #!/usr/sbin/dtrace -qs
      syscall::open:entry
      /arg1 == 1 || arg1 == 2/
      {
      self->file = copyinstr(arg0);
      }

      syscall::open:return
      /self->file != NULL/
      {
      printf("caught open to file [%s] by %d / %s\n",
      self->file, pid, execname);
      ustack();
      self->file = 0;
      }

      But the accesses are not catched. e.g. if I manually edit the passwd file over a console with vi it is not catched by the syscall::open: probes.
      Looking at the functions provided by dtrace there are lots of different write and open functions for different purposes on userland and kernel levels.

      Isn't it somehow possible to monitor all modifications on e.g. the /etc/passwd file no matter which system call? What I finally need is the PID or better the process name that is modifying the file.

      Thanks for any hints for pointing me in the right direction,
      vitaminx