Who keeps removing that file?

Over the years, I've had many times when some file gets removed and there's no obvious culprit.  With dtrace, it is somewhat easy to figure out:

 #! /usr/sbin/dtrace -wqs

syscall::unlinkat:entry
/cleanpath(copyinstr(arg1)) == "/dev/null"/
{
        stop();
        printf("%s[%d] stopped before removing /dev/null\n", execname, pid);
        system("ptree %d; pstack %d", pid, pid);
}

That script will stop the process trying to remove /dev/null before it does it.  You can allow it to continue by restarting (unstopping?) the command with prun(1) or killing it with kill -9.  If you want the command to continue automatically after getting the ptree and pstack output, you can add "; prun %d" and another pid argument to the system() call.

Comments:

Oracle's Enterprise Manager 12c with Compliance Real-time Monitoring will monitor all of your critical files and tell you when they were deleted the user that deleted it, the user that deleted it, the process name and process ID that deleted the file. This is useful in scenarios where you want to scale this monitoring to thousands of files across your critical infrastructure.

Posted by guest on November 08, 2013 at 11:48 AM CST #

But doing it with dtrace is much cooler :)

Posted by guest on November 11, 2013 at 10:10 AM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

I'm a Principal Software Engineer in the Solaris Zones team. In this blog, I'll talk about zones, how they interact with other parts of Solaris, and related topics.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today