SUMMARY: How to trace/catch all refs. made to a file.

SUMMARY: How to trace/catch all refs. made to a file.

Post by Amit Bha » Wed, 03 Nov 1993 06:28:24



Hi folks !

Sometime back I had posted a question on comp.simulation requesting
people to suggest ways to trace or catch (a list of) all accesses made
to a particular file. In essence, this could be a trace of all the
reads, writes that occured to a file with details such as when, for
how long, type-of-access etc.,

There were requests to post a summary. Here is the summary of the two
replies I recieved. I have edited and reformatted the replies to
contain only relevant portions.

Cheers,

amit
--
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| Amit Bhati                          |

|                                     |
| ...my other .sig is POSIX compliant.|
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

:::::::::::
REPLY NO. 1
:::::::::::

Date: Thu, 21 Oct 1993 18:51:40 +0100


Hi!

Have you tried using the UNIX command 'trace' ? It traces all system
calls and signals, and seeing that read and writes are system calls
these are traced too. I tried it with the following C code:

------------------ BEGIN C CODE -----------------------

#include <sys/file.h>
#include <stdio.h>

char c[] = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j' };

main()
{

    int  q, n;
    int  fd;

    fd = open("foo", O_CREAT | O_WRONLY, 0644);
    n = 0;
    for( q = 0; q < 5; q ++ )  n = n + write(fd, c, 10);
    printf("N = %d\n", n);

    close (fd);
    exit(4);

Quote:}

---------------------end of C code--------------------------------

I compiled this program with,

        UNIX> cc -o read read.c

and then ran,

        UNIX> trace read

This gave the following data as output.

----------------- BEGIN TRACE DATA ------------------

open ("/usr/lib/ld.so", 0, 010000) = 3
read (3, "".., 32) = 32
mmap (0, 40960, 0x5, 0x80000002, 3, 0) = 0xf77c0000
mmap (0xf77c8000, 8192, 0x7, 0x80000012, 3, 32768) = 0xf77c8000
open ("/dev/zero", 0, 07) = 4
getrlimit (3, 0xf7fff7b8) = 0
mmap (0xf7800000, 8192, 0x3, 0x80000012, 4, 0) = 0xf7800000
close (3) = 0
getuid () = 706
getgid () = 15
open ("/etc/ld.so.cache", 0, 010000) = 3
fstat (3, 0xf7fff658) = 0
mmap (0, 8192, 0x1, 0x80000001, 3, 0) = 0xf7780000
close (3) = 0
open ("/local/lib", 0, 01010525) = 3
fstat (3, 0xf7fff658) = 0
mmap (0xf7802000, 8192, 0x3, 0x80000012, 4, 0) = 0xf7802000
getdents (3, 0xf78000f0, 8192) = 1156
getdents (3, 0xf78000f0, 8192) = 0
close (3) = 0
open ("/local/lib/X11R4", 0, 012) = 3
getdents (3, 0xf78000f0, 8192) = 580
getdents (3, 0xf78000f0, 8192) = 0
close (3) = 0
open ("/usr/lib/libc.so.1.7", 0, 022460) = 3
read (3, "".., 32) = 32
mmap (0, 458764, 0x5, 0x80000002, 3, 0) = 0xf76e0000
mmap (0xf774c000, 16384, 0x7, 0x80000012, 3, 442368) = 0xf774c000
close (3) = 0
open ("/usr/lib/libdl.so.1.0", 0, 022500) = 3
read (3, "".., 32) = 32
mmap (0, 16396, 0x5, 0x80000002, 3, 0) = 0xf76a0000
mmap (0xf76a2000, 8192, 0x7, 0x80000012, 3, 8192) = 0xf76a2000
close (3) = 0
close (4) = 0
open ("foo", 01001, 0644) = 3
write (3, "abcdefghij", 10) = 10
write (3, "abcdefghij", 10) = 10
write (3, "abcdefghij", 10) = 10
write (3, "abcdefghij", 10) = 10
write (3, "abcdefghij", 10) = 10
ioctl (1, 0x40125401, 0xf7ffedb4) = 0
getpagesize () = 8192
brk (0x60f0) = 0
brk (0x80f0) = 0
write (1, "N = 50\n", 7) = 7
close (3) = 0
close (0) = 0
close (1) = 0
close (2) = 0
exit (4) = ?
-------------------end of trace data--------------------

The trace data reveals that the file 'foo' is given file descriptor 3
and that 5 writes are made to this file.

Of course, the trace file contains all the system calls, but by using
the 'sed' parser and line editor you might extract some of the
necessary information.

I hope this was of some help to you.

Later,

Christian S. Rosnes

University of Oslo.


Date: Tue, 26 Oct 93 13:13:23 MDT

You should look into "trace" and "ptrace".  They are available at
least on BSD systems.  They allow the tracing of all unix system calls
(among other useful tracing).

Also, try the newsgroup comp.unix.questions.

--
Darrin West, MSc.
Jade Simulations International Corporation.

::::::::::::
REPLY NO. 2
::::::::::::


Date: Sat, 30 Oct 93 21:20:41 EDT

Organization: The American University

Sounds like NCSC C2 requirements (see Orange Book on computer
security if you're not sure what I mean :-)  On SunOS 4.1.x and
probably SunOS 5.x, you can turn various auditing flags for different
objects: like files.  Not sure if you can specify which file(s) you
want to watch, but then you could parse through the audit trails
to look for your file names and parse out the type of access.

This is real ugly and consumes megabeaucoupstons of disk space.

Good luck finding a better way.

Jim
Chief Network Operating Systems Shop
Defense Intelligence Agency
Bolling Air Force Base
Washington, D.C.  20340
----------------------------END OF THIS ARTICLE------------------------