4.2.6. Monitoring Changes to File Attributes
This section describes how to monitor if any processes are changing the attributes of a targeted file, in real time.
inodewatch2-simple.stp
global ATTR_MODE = 1 probe kernel.function("inode_setattr") { dev_nr = $inode->i_sb->s_dev inode_nr = $inode->i_ino if (dev_nr == ($1 << 20 | $2) # major/minor device && inode_nr == $3 && $attr->ia_valid & ATTR_MODE) printf ("%s(%d) %s 0x%x/%u %o %d\n", execname(), pid(), probefunc(), dev_nr, inode_nr, $attr->ia_mode, uid()) }
Like inodewatch.stp from Section 4.2.5, “Monitoring Reads and Writes to a File”, inodewatch2-simple.stp takes the targeted file's device number (in integer format) and
inode
number as arguments. For more information on how to retrieve this information, refer to Section 4.2.5, “Monitoring Reads and Writes to a File”.
The output for inodewatch2-simple.stp is similar to that of inodewatch.stp, except that inodewatch2-simple.stp also contains the attribute changes to the monitored file, as well as the ID of the user responsible (
uid()
). Example 4.10, “inodewatch2-simple.stp Sample Output” shows the output of inodewatch2-simple.stp while monitoring /home/joe/bigfile
when user joe
executes chmod 777 /home/joe/bigfile
and chmod 666 /home/joe/bigfile
.
Example 4.10. inodewatch2-simple.stp Sample Output
chmod(17448) inode_setattr 0x800005/6011835 100777 500 chmod(17449) inode_setattr 0x800005/6011835 100666 500