Date: Fri, 17 Oct 1997 23:30:01 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: chuck@fang.cs.sunyit.edu (Charles Green) Cc: hackers@FreeBSD.ORG Subject: Re: Question about file opens Message-ID: <199710172330.QAA07875@usr06.primenet.com> In-Reply-To: <199710151010.KAA28975@fang.cs.sunyit.edu> from "Charles Green" at Oct 15, 97 10:10:56 am
next in thread | previous in thread | raw e-mail | index | archive | help
> For a project I'm working on we're interested in tracking file opens, > and are interested in the best way of tracking them. Any ideas? Or is it > impossible without modifying the kernel? Without modifying the kernel at al? No, if you need to track opens as events. Without permanently modifying the kernel, you mean? Yes, it's pretty trivial... Load an LKM that copies off the file name to an event queue, and then call the real open. You can replace the real open with your stub function by saving the value of of the systent structure at sysent[ SYS_open] and pointing it to your function instead. You will have to copy the path in twice, but this is not a real hardship. If you are trying to track resources, you will need to hack SYS_close as well, and look at the per process open file table to generate paired events. If you expect it to work paired over fork, an exec will have to examine the per process open file list, and generate pseudo-open events. I would probably save the path in the queue record. I would probably use a character pseudo device as the queue head, and have a user audit process dequeue entries by reading a fixed length structure from the device. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710172330.QAA07875>