I'm trying to find a way to find the process deleting files.....
I tried: dtrace -n syscall::unlink:entry
dtrace -F -f unlink -v
While it picks up the unlinking(I tested by doing a rm of some files),
I could not get the pid of the process doing such rm.....(or maybe the
process exited...)
I'd like to see the process/adpp/program, calling a particular system
call....unlink, close, open etc etc...
I wonder if dtrace can capture both library calls and system
calls......
It seems functionality for capturing system calls from a process are
more documented, and with examples, than, those asking for finding
which system calls get opened by whom....
Is getting unlink enough to find "what is removing files?"
How do I dtrace for "anything that touched that file" or, "anything
that touches files in a directory"
|
|
0
|
|
|
|
Reply
|
 solquestions
|
1/6/2009 11:28:36 PM |
|
solquestions@lycos.com wrote:
> I'm trying to find a way to find the process deleting files.....
>
> I tried: dtrace -n syscall::unlink:entry
> dtrace -F -f unlink -v
>
> While it picks up the unlinking(I tested by doing a rm of some files),
> I could not get the pid of the process doing such rm.....(or maybe the
> process exited...)
>
> I'd like to see the process/adpp/program, calling a particular system
> call....unlink, close, open etc etc...
>
> I wonder if dtrace can capture both library calls and system
> calls......
>
> It seems functionality for capturing system calls from a process are
> more documented, and with examples, than, those asking for finding
> which system calls get opened by whom....
>
> Is getting unlink enough to find "what is removing files?"
>
> How do I dtrace for "anything that touched that file" or, "anything
> that touches files in a directory"
You could remove write access to the directory and to the file! Any
program tring to remove the file should then get an error
|
|
|
0
|
|
|
|
Reply
|
Richard
|
1/7/2009 1:47:29 AM
|
|
solquestions@lycos.com schrieb:
> I'm trying to find a way to find the process deleting files.....
>
> I tried: dtrace -n syscall::unlink:entry
> dtrace -F -f unlink -v
>
Hi,
> While it picks up the unlinking(I tested by doing a rm of some files),
> I could not get the pid of the process doing such rm.....(or maybe the
> process exited...)
>
Did you try already
dtrace -n \
'syscall::unlink:entry { printf("%s (%u) \
deletes %s",execname,pid,copyinstr(arg0)); }'
?
(\ means ignore line feed)
This worked with a test for me.
Heinz
> I'd like to see the process/adpp/program, calling a particular system
> call....unlink, close, open etc etc...
>
> I wonder if dtrace can capture both library calls and system
> calls......
>
> It seems functionality for capturing system calls from a process are
> more documented, and with examples, than, those asking for finding
> which system calls get opened by whom....
>
> Is getting unlink enough to find "what is removing files?"
>
> How do I dtrace for "anything that touched that file" or, "anything
> that touches files in a directory"
--
Heinz Mueller heinz.mueller@fujitsu-siemens.com
IP SSC VAL XS SWE
Tel: (+49)5251 815137 Fax: (+49)5251 8 20209
Disclaimer: All opinions above are my own (at least I think so ;-))
|
|
|
0
|
|
|
|
Reply
|
Heinz
|
1/7/2009 11:56:00 AM
|
|
On Jan 7, 5:56=A0am, Heinz Mueller <heinz.muel...@fujitsu-siemens.com>
wrote:
> solquesti...@lycos.com schrieb:> I'm trying to find a way to find the pro=
cess deleting files.....
>
> > I tried: dtrace -n syscall::unlink:entry
> > dtrace -F -f unlink -v
>
> Hi,
>
> > While it picks up the unlinking(I tested by doing a rm of some files),
> > I could not get the pid of the process doing such rm.....(or maybe the
> > process exited...)
>
> Did you try already
> dtrace -n \
> 'syscall::unlink:entry { printf("%s (%u) \
> =A0 deletes %s",execname,pid,copyinstr(arg0)); }'
> ?
> (\ means ignore line feed)
>
> This worked with a test for me.
> Heinz
>
> > I'd like to see the process/adpp/program, calling a particular system
> > call....unlink, close, open etc etc...
>
> > I wonder if dtrace can capture both library calls and system
> > calls......
>
> > It seems functionality for capturing system calls from a process are
> > more documented, and with examples, than, those asking for finding
> > which system calls get opened by whom....
>
> > Is getting unlink enough to find "what is removing files?"
>
> > How do I dtrace for "anything that touched that file" or, "anything
> > that touches files in a directory"
>
> --
> Heinz Mueller heinz.muel...@fujitsu-siemens.com
> IP SSC VAL XS SWE
> Tel: (+49)5251 815137 Fax: (+49)5251 8 20209
> Disclaimer: All opinions above are my own (at least I think so ;-))
Thanks, I'm assuming, that, without, unlink, no deletes are possible
|
|
|
0
|
|
|
|
Reply
|
solquestions
|
1/7/2009 6:53:35 PM
|
|
|
3 Replies
1035 Views
(page loaded in 0.06 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25729 articles. 
78 followers. 