Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tools: Add dirwatch #4793

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

tools: Add dirwatch #4793

wants to merge 1 commit into from

Conversation

Rtoax
Copy link
Contributor

@Rtoax Rtoax commented Nov 5, 2023

We often need to monitor which processes in a directory have created and modified files, especially in the /etc directory. For example, sometimes the /etc/fstab is deleted by mistake, which causes the system to fail to reboot.

The dirwatch tool can monitor the creation and deletion of all files in a single directory, and can even capture the parent process when the verbose (-V) message is displayed.

Terminal 1:

    $ sudo ./dirwatch.py -D /etc/

Terminal 2:

    $ sudo mkdir -p /etc/a/b/c/d/e/
    $ sudo touch /etc/a/b/c/d/e/readme
    $ sudo rm -rf /etc/a

Then, Terminal 1 shows:

    $ sudo ./dirwatch.py -D /etc/
    Tracing file remove ... Hit Ctrl-C to end
    TIME     PID      COMM         OPERATE  INODE        FILEPATH
    15:40:35 28094    mkdir        MKDIR    2015         /etc//a
    15:40:35 28094    mkdir        MKDIR    67426298     /etc//a/b
    15:40:35 28094    mkdir        MKDIR    134492307    /etc//a/b/c
    15:40:35 28094    mkdir        MKDIR    201858033    /etc//a/b/c/d
    15:40:35 28094    mkdir        MKDIR    2058         /etc//a/b/c/d/e
    15:40:46 28100    touch        CREATE   2059         /etc//a/b/c/d/e/readme
    15:40:57 28107    rm           UNLINK   2059         /etc//a/b/c/d/e/readme
    15:40:57 28107    rm           RMDIR    2058         /etc//a/b/c/d/e
    15:40:57 28107    rm           RMDIR    201858033    /etc//a/b/c/d
    15:40:57 28107    rm           RMDIR    134492307    /etc//a/b/c
    15:40:57 28107    rm           RMDIR    67426298     /etc//a/b
    15:40:57 28107    rm           RMDIR    2015         /etc//a

TODO: Not support symbol link yet.

@Rtoax Rtoax force-pushed the patch-58-tools-dirwatch branch 2 times, most recently from 5e15534 to 269c2bf Compare November 7, 2023 00:58
@Rtoax
tools: Add dirwatch
e4925a2 
We often need to monitor which processes in a directory have created and
modified files, especially in the /etc directory. For example, sometimes
the /etc/fstab is deleted by mistake, which causes the system to fail to
reboot.

The dirwatch tool can monitor the creation and deletion of all files in a
single directory, and can even capture the parent process when the verbose
(-V) message is displayed.

Terminal 1:

    $ sudo ./dirwatch.py -D /etc/

Terminal 2:

    $ sudo mkdir -p /etc/a/b/c/d/e/
    $ sudo touch /etc/a/b/c/d/e/readme
    $ sudo rm -rf /etc/a

Then, Terminal 1 shows:

    $ sudo ./dirwatch.py -D /etc/
    Tracing file remove ... Hit Ctrl-C to end
    TIME     PID      COMM         OPERATE  INODE        FILEPATH
    15:40:35 28094    mkdir        MKDIR    2015         /etc//a
    15:40:35 28094    mkdir        MKDIR    67426298     /etc//a/b
    15:40:35 28094    mkdir        MKDIR    134492307    /etc//a/b/c
    15:40:35 28094    mkdir        MKDIR    201858033    /etc//a/b/c/d
    15:40:35 28094    mkdir        MKDIR    2058         /etc//a/b/c/d/e
    15:40:46 28100    touch        CREATE   2059         /etc//a/b/c/d/e/readme
    15:40:57 28107    rm           UNLINK   2059         /etc//a/b/c/d/e/readme
    15:40:57 28107    rm           RMDIR    2058         /etc//a/b/c/d/e
    15:40:57 28107    rm           RMDIR    201858033    /etc//a/b/c/d
    15:40:57 28107    rm           RMDIR    134492307    /etc//a/b/c
    15:40:57 28107    rm           RMDIR    67426298     /etc//a/b
    15:40:57 28107    rm           RMDIR    2015         /etc//a

TODO: Not support symbol link yet.

Signed-off-by: Rong Tao <[email protected]>
@Rtoax Rtoax force-pushed the patch-58-tools-dirwatch branch from 269c2bf to e4925a2 Compare November 7, 2023 00:58
@yonghong-song
Copy link
Collaborator

could you check whether inotify() syscall can do similar thing or not?

@Rtoax
Copy link
Contributor Author

Rtoax commented Nov 13, 2023

could you check whether inotify() syscall can do similar thing or not?

Yes, inotify also can do the same thing.

@Rtoax
Copy link
Contributor Author

Rtoax commented Nov 30, 2023

could you check whether inotify() syscall can do similar thing or not?

However, inotify cannot obtain user information

@brendangregg
Copy link
Member

We often need to monitor which processes in a directory have created and modified files, especially in the /etc directory

This sounds like outdated Unix security practices from the 1980s. I'd also want to see how it compares to other file notification frameworks, in detail.

This tool passes all VFS events to user space (including two strings, comm and pcomm) and does filtering there. At least it filters uint64 inodes, but this whole approach is inefficient.

The reason I was using BPF, and not straight-up perf to do these tools, was efficiency. A tool like this can just be done in perf. It's a tool using best practices from yesteryear. Thanks but I'd reject this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brendangregg brendangregg Awaiting requested review from brendangregg brendangregg is a code owner

@goldshtn goldshtn Awaiting requested review from goldshtn goldshtn is a code owner

@davemarchevsky davemarchevsky Awaiting requested review from davemarchevsky davemarchevsky is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Rtoax @yonghong-song @brendangregg