On Saturday, 22 November 2003 at 23:58:10 +0100, Cordula's Web wrote: > Hello list, > > maybe someone knows the answer for the following problem already? > > Summary: > ======== > What is the canonical way to monitor accesses to a file? > > Problem description: > ==================== > > A file, let's say, /path/to/a/file, is being modified by > an unknown process P(u) at random times. Unfortunately, > the name of the program ran by P(u) is unknown. > > The goal is to catch P(u) "red-handed," just the moment > it accesses /path/to/a/file, e.g. by looking up in the > process table with ps(1).
That's not exactly red-handed, it's just not too long afterwards. I don't think you're going to find a simple answer to this one. If I had this problem, I'd probably build a kernel with special code to recognize opens on this file (so that you can get the address of the file table) and writes to it (though this may be redundant). The code would enter the kernel debugger or maybe just panic, depending on the environment. That way you'd really catch the culprit red-handed. An alternative might depend on knowledge of what the file does. Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply or reply to the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address and phone numbers.
pgp00000.pgp
Description: PGP signature
