monitor which process modified a file under FreeBSD/Linux - linux

From time to time, a file that I'm interested in is modified by some process. I need to find out which process is modifying this file. Using lsof will not work, nor does kqueue. Is this possible under FreeBSD and Linux?

On Linux, there's a kernel patch floating around for inotify. However, some have said this is rarely useful and that it can be a security risk. In any case, here's the patch.
Apart from that, I'm not sure there's any way to get the PID, either with inotify or dnotify. You could investigate further (e.g. search for pid dnotify or pid inotify), but I believe it isn't likely.

On FreeBSD, perhaps it should be best if you check its auditing features.

Linux has an audit daemon http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
See also auditd homepage

You can see which processes opened a file just installing and using lsof (LiSt Open Files) command.

Related

Monitor STDERR of all processes running on my linux machine

I would like to monitor the STDERR channel of all the processes running on my Linux. Monitoring should preferably be done at real-time (i.e. while the process is running), but post-processing will also do. It should be done without requiring root permissions, and without breaking any security features.
I have done a good bit of searching, and found some utilities such as reptyr and screenify, and a few explanations on how to do this with gdb (for example here). However, all of these seem to be doing both too much and too little. Too much in the sense that they take full control of the process's stream handles (i.e. closing original one and opening a new one). Too little in the sense that they have serious limitations, such as the fact that require disabling security features, such as ptrace_scope.
Any advice would be highly appreciated!
Maybe this question would get more answers on SU. The only thing I could think of would be to monitor the files and devices already opened as STDERR. Of course, this would not work if STDERR is redirected to /dev/null.
You can get all the file descriptors for STDERR with:
ls -l /dev/proc/[0-9]*/fd/2
If you own the process, accessing its STDERR file descriptor or output file should be possible in the language of your choice without being root.

Retrieving a list of all file descriptors (files) that a process ever opened in linux

I would like to be able to get a list of all of the file descriptors (now considering this question to pertain to actual files) that a process ever opened during the runtime of the process. The problem with polling /proc/(PID)/fd/ is that you only get a snapshot in time of what is currently open. Is there a way to force linux to keep this information around long enough to log it for the entire run of the process?
First, notice that a file descriptor which is open-ed then close-d by the application is recycled by the kernel (a future open could give the same file descriptor). See open(2) and close(2) and read Advanced Linux Programming.
Then, consider using strace(1); you'll be able to log all the syscalls (or perhaps just open, socket, close, accept, ... that is the syscalls changing the file descriptor table). Of course strace is using the ptrace(2) syscall (which you probably don't want to bother using directly).
The simplest way would be to run strace -o /tmp/mytrace.tr yourprog argments... and to look, e.g. with some pager like less, into the quite big /tmp/mytrace.tr file.
As Gearoid Murphy commented you could restrict the output of strace using e.g. -e trace=file.
BTW, to debug Makefile-s this is the wrong approach. Learn more about remake.

trigger alert when a specified command executes in linux

I have 3 samba shares mounted in my system, but suddenly, one of them gets umounted without my permision. Maybe one of houndreds of scripts which run in my crontab, but i dont know which one.
I've reviewed all /var/log directory looking for umount word without success, then i want to log when command umount is executed and which process is running it.
Maybe with syslog, maybe with another log, maybe a mail to my box....
Thanks a lot.
I have this software:
mount: mount-2.12q
mount.cifs version: 1.14-3.5.4
Unmounting does not only happen by calling the umount binary, many programs might do it. See the manual page (man syscalls) and search for umount. This said, you would have to hook the corresponding syscall and see who invokes it. I'm not sure, but most probably it's possible to disconnect inside the kernel by calling the corresponding method directly, so functionality might bypass the syscall interface which is mainly required for userspace interaction. In this case you would have to use some debugging technique on the kernel itself, which maybe is a little much for finding your problem!
You may have success using strace on an already running process (man strace), for example smbd, and see if this process invokes umount, which is quite possible.
Anyways, if you can recompile your kernel from source, you might add some printk message inside the function that is used to unmount a device to see which process did it (this would be my approach for cases where nothing else, including strace, helps).
Since the mount is a change in the filesystem, maybe the inode-observer incron is a solution for you. Another option might be the auditd.

How to set watchpoints via procfs in Linux?

I'm trying to build a debugger-like program
under Linux (Ubuntu) and I've run into some problems.
From what I've heard, the /proc vfs provides mechanisms to
create watchpoints, but I can't seem to find out how.
Some man pages pointed me to “control file”s, supposedly located
at /proc/<pid>/ctl, but I can't find this file anywhere.
(Perhaps this file is only for Solaris? Or maybe it's Ubuntu's fault?)
Under Linux, as far as I know, a debugger will have to call ptrace to attach to the process being debugged, and possibly to influence its behavior.
Looking at the source of GDB is likely to be helpful.
There is information in /proc/<pid> that is of interest to debuggers. For example, you can read the process's memory via /proc/<pid>/mem. You can also use ptrace for this, and you need to use ptrace to write.

How to find which process the linux os running at a given moment?

So a OS multi-tasks and runs one process at a given moment (assuming it's a single core machine). Is there a way I can track/poll and find which process was running at what time and at what time it was put in the queue and retrieved back. Are there any system calls for this ?. Is there a way to achieve this without modifying the linux kernel's source.
I think you need lttng, it definitely give a you a elaborate view of the system's task switch thing(and much more than that) with the lttng viewer. Lttng's kernel part has been merged to current Linux kernel, and you can use it if your kernel has enabled this feature. Here is some screen shots for lttng.
I don't think you can do this natively. AFAIK linux does not a keep a history track of this information.
That's an illogical question. If you are querying the OS from a script/process then the active program is ... YOURS.
Though I guess if you want the history you could watch the /proc directory or the output from ps

Resources