From owner-freebsd-hackers Fri Oct 17 16:30:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA15235 for hackers-outgoing; Fri, 17 Oct 1997 16:30:18 -0700 (PDT) (envelope-from owner-freebsd-hackers) Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.5.84]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA15224 for ; Fri, 17 Oct 1997 16:30:11 -0700 (PDT) (envelope-from tlambert@usr06.primenet.com) Received: (from daemon@localhost) by smtp03.primenet.com (8.8.7/8.8.7) id QAA16857; Fri, 17 Oct 1997 16:30:09 -0700 (MST) Received: from usr06.primenet.com(206.165.6.206) via SMTP by smtp03.primenet.com, id smtpd016852; Fri Oct 17 16:30:02 1997 Received: (from tlambert@localhost) by usr06.primenet.com (8.8.5/8.8.5) id QAA07875; Fri, 17 Oct 1997 16:30:01 -0700 (MST) From: Terry Lambert Message-Id: <199710172330.QAA07875@usr06.primenet.com> Subject: Re: Question about file opens To: chuck@fang.cs.sunyit.edu (Charles Green) Date: Fri, 17 Oct 1997 23:30:01 +0000 (GMT) Cc: hackers@FreeBSD.ORG In-Reply-To: <199710151010.KAA28975@fang.cs.sunyit.edu> from "Charles Green" at Oct 15, 97 10:10:56 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > For a project I'm working on we're interested in tracking file opens, > and are interested in the best way of tracking them. Any ideas? Or is it > impossible without modifying the kernel? Without modifying the kernel at al? No, if you need to track opens as events. Without permanently modifying the kernel, you mean? Yes, it's pretty trivial... Load an LKM that copies off the file name to an event queue, and then call the real open. You can replace the real open with your stub function by saving the value of of the systent structure at sysent[ SYS_open] and pointing it to your function instead. You will have to copy the path in twice, but this is not a real hardship. If you are trying to track resources, you will need to hack SYS_close as well, and look at the per process open file table to generate paired events. If you expect it to work paired over fork, an exec will have to examine the per process open file list, and generate pseudo-open events. I would probably save the path in the queue record. I would probably use a character pseudo device as the queue head, and have a user audit process dequeue entries by reading a fixed length structure from the device. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.