Using SystemTap to monitor files being opened

SystemTap allows you to take a real-time peek into any function call in the kernel. To demonstrate this, I wrote an stap script which will print the full path of any files opened by a specific user.

Disclaimer: Executing this script will build and load a module into your kernel. While I did not experience any problems with this specific script, please be aware that playing in kernel-space is not without its dangers.

Running the script

You can download the script from here. To monitor any files being opened by UID 1000, simply execute the following:

sudo stap file_open.stp 1000

Note: If you don’t specify the UID, the script will not run.

The output will look something like the following:

Tracking any files opened by requested uid 1000. Type Ctrl-C to quit

open path: /usr/share/themes/Ambiance/gtk-2.0/apps/img/panel.png
open path: /usr/share/themes/Ambiance/gtk-2.0/apps/img/panel.png
open path: /usr/share/themes/Ambiance/gtk-2.0/apps/img/panel.png
open path: /usr/share/themes/Ambiance/gtk-2.0/apps/img/panel.png
open path: /usr/share/themes/Ambiance/gtk-2.0/apps/img/panel.png
open path: /etc/passwd
open path: /home/jharvey/.history/ender

How it works

The kernel function I am probing here is “generic_file_open”. This function is passed a file structure, which includes information on the file and its parent directory. When the function is called, the probe takes the file structure and passes it to a loop which retrieves the name of all of the parent directories, going back to “/”.

Further hacking

If you want to become more familiar with SystemTap, I’d recommend digging through the default provided tapsets in the “/usr/share/systemtap/tapset” directory. The tapsets can give you an idea of what type of information you can gather.

Happy tapping!

Share and Enjoy:
  • StumbleUpon
  • Facebook
  • Twitter
  • Reddit
Using SystemTap to monitor files being opened

Leave a Reply

Your email address will not be published.