Monitoring a file?
wegster at mindcore.net
Sat Nov 22 15:17:08 PST 2003
Cordula's Web wrote:
>maybe someone knows the answer for the following problem already?
> What is the canonical way to monitor accesses to a file?
> A file, let's say, /path/to/a/file, is being modified by
> an unknown process P(u) at random times. Unfortunately,
> the name of the program ran by P(u) is unknown.
> The goal is to catch P(u) "red-handed," just the moment
> it accesses /path/to/a/file, e.g. by looking up in the
> process table with ps(1).
> 1. Polling /path/to/a/file with stat(), lstat(), fstat(),
> and running a ps(1) as soon as the access times change;
> then diff(1) on all ps listings, trying to identify P(u).
> This solution is not good enough, because P(u) runs faster
> than the polling interval, and setting this polling interval
> to very small values is too expensive on a production server.
> 2. NFS mounting /path/to/a/file, and modifying nfsd(1) in such
> a way, that it runs ps(1) as soon as a request for
> /path/to/a/file is received. Let's call the modified
> nfsd nfsd-debug. Of course debug-nfsd and P(u) must run
> on the same machine.
> This is not good enough either, because ps(1)-listing
> is too long, and not always conclusive.
> 3. Using kqueue(2) and kevent(2) in a monitoring process
> P(m). P(m) would be attached to /path/to/a/file, and
> would use kevent(2) to receive kernel notifications
> as soon as /path/to/a/file is touched.
> Probably not enough either, because it is not possible to
> know which process triggered the event, only that an
> event occured on that vnode.
> -> Is that correct? I'm not familiar enough with kevent(2).
> I assume that some kind of monitoring process P(m) is
> needed, which would attach to /path/to/a/file, use kevent(2)
> to get notifications from the kernel. Now, how could P(m)
> find out, which process generated the events it gets?
> Is there another, preferably clever, way to solve this problem?
You may want to take a look at 'fam,' in /usr/ports/devel/fam , as some
of the code's already been done for this type of monitoring AFAIK...
More information about the freebsd-questions