From owner-freebsd-hackers Wed Oct 15 09:51:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA00879 for hackers-outgoing; Wed, 15 Oct 1997 09:51:51 -0700 (PDT) (envelope-from owner-freebsd-hackers) Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA00869 for ; Wed, 15 Oct 1997 09:51:40 -0700 (PDT) (envelope-from brian@shell.firehouse.net) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id MAA07276; Wed, 15 Oct 1997 12:51:24 -0400 (EDT) Date: Wed, 15 Oct 1997 12:51:24 -0400 (EDT) From: Brian Mitchell To: Niall Smart cc: c@doc.ic.ac.uk, hackers@freebsd.org Subject: Re: Question about file opens In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 15 Oct 1997, Niall Smart wrote: > > On Wed, 15 Oct 1997, Charles Green wrote: > > > > > For a project I'm working on we're interested in tracking file opens, > > > and are interested in the best way of tracking them. Any ideas? Or is it > > > impossible without modifying the kernel? > > > > There are two ways, auditing (which freebsd doesnt have yet - see > > http://shell.firehouse.net/~brian/bsdc2audit for preliminary driver) or > > modifying the libc stubs. You could also use a preloaded shared lib to do > > it without rebuilding libc, if you wanted to. > > Its probably worth noting that if the auditing is for security-related > purposes then modifying the libc stubs is worse than useless because > the system calls can be called directly by the hacker without libc. > > Niall > Yes. I'm assuming the original poster is not needing to do this for security related purposes, but rather for debugging purposes.