Monitoring a file?

Greg 'groggy' Lehey grog at
Sat Nov 22 16:28:56 PST 2003

On Saturday, 22 November 2003 at 23:58:10 +0100, Cordula's Web wrote:
> Hello list,
> maybe someone knows the answer for the following problem already?
> Summary:
> ========
>   What is the canonical way to monitor accesses to a file?
> Problem description:
> ====================
>   A file, let's say, /path/to/a/file, is being modified by
>   an unknown process P(u) at random times. Unfortunately,
>   the name of the program ran by P(u) is unknown.
>   The goal is to catch P(u) "red-handed," just the moment
>   it accesses /path/to/a/file, e.g. by looking up in the
>   process table with ps(1).

That's not exactly red-handed, it's just not too long afterwards.

I don't think you're going to find a simple answer to this one.  If I
had this problem, I'd probably build a kernel with special code to
recognize opens on this file (so that you can get the address of the
file table) and writes to it (though this may be redundant).  The code
would enter the kernel debugger or maybe just panic, depending on the
environment.  That way you'd really catch the culprit red-handed.

An alternative might depend on knowledge of what the file does.

When replying to this message, please copy the original recipients.
If you don't, I may ignore the reply or reply to the original recipients.
For more information, see
See complete headers for address and phone numbers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list