Don't bogart that file my friend...

I spent yesterday at the Sun office in the City of London at a sort of open day for our customers. We were demonstrating the new features in Solaris 10, and someone asked us how they could detect that a user had \*attempted\* to delete a file (though the same holds true for read, write etc). So, even though the attempt to delete a file will fail, due to permissions (either legacy or RBAC) they wanted to know that it had been attempted. Such a feat \*is\* achievable using auditting (aka BSM) but is more fun, and flexible from dtrace. In the script below, we log a message to the messages file, and for fun kill the process! I'm no expert in Dtrace, but it was pretty simple thanks in large part to Chris' blog earlier this month. Anyhow, the interesting thing was that the request from the customer was pretty random, but on the spot we were able to tell them how to achieve their aim with a few lines of 'D'. In the example below, the file is /tmp/fred.
#!/usr/sbin/dtrace -s

#pragma D option destructive
#pragma D option quiet

syscall::unlink:entry
 / ((self->path = copyinstr(arg0)) == "fred" && cwd =="/tmp") || (self->path == "/tmp/fred")
 /
 
 {
  self->prot=1;
  self->path = copyinstr(arg0);
  raise(9);
} 

syscall::unlink:return

/ self->prot==1
/
{
  system("logger -p user.err Deletion attempted of %s by user %d",self->path,uid);
  }
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

gjl

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today