On Mon, Feb 7, 2011 at 18:37, G Hazel <geoffha...@gmail.com> wrote:
> I've got a mystery process writing to my /etc/inet/hosts file. I'd like to
> find a dtrace script that can monitor the file and do a "ps -ef" or
> equivalent to capture the process that's writing to the file. I'm a dtrace
> newbie, and was hoping someone here could point me in the right direction.
> I've googled it and found some scripts that apply to zfs, this is just ufs.
which fs is in use here should be irrelevant; I'd monitor the open and
write system calls, maybe starting with something like this (check the
details, I'm typing this from memory):
syscall::open:entry
/arg0 == "/etc/hosts" || arg0 == "/etc/inet/hosts" / /* also check
for "w" permission here */
{
self->s = speculation();
speculate(self->s);
printf("%s opening hosts", execname);
}
/* do the same as above for openat() */
syscall::open:return
/self->s && arg1 == -1/ /* failure */
{
discard(self->s)
self->s = 0;
}
syscall::open:return
/self->s/
{
commit(self->s);
self->s = 0;
}
this should tell you who's successfully opened /etc/inet/hosts
HTH
Michael
>
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss@opensolaris.org
>
--
regards/mit freundlichen Grüssen
Michael Schuster
_______________________________________________
dtrace-discuss mailing list
dtrace-discuss@opensolaris.org
