dtrace command to analyze file modification

jarlel

I am trying to find a way to detect changes to an octet file used in freeradius to track data usage for a captive portal. dtrace is a command that can do this, but I am not able to use ut in pfSense.
Is there a way that I can enable it? Or other tools that can tell me which process is modifying a file and at what time?

Example script with dtrace:

Script:

#!/usr/sbin/dtrace -s

syscall::write:entry
/execname != "dtrace" && arg0 == open("/path/to/your/file", O_WRONLY)/
{
    printf("%Y: Process %s (PID %d) is writing to %s\n", walltimestamp, execname, pid, copyinstr(arg0));
}

stephenw10

What happens when you try to run it?

jarlel

@stephenw10 said in dtrace command to analyze file modification:

What happens when you try to run it?

I get this message:

dtrace: failed to initialize dtrace: DTrace device not available on system

Gertjan

@jarlel

dtrace has quiet a list of conditions to be met for it to work.
The kernel has to have supported modules, and compiled with 'trace' options set. I wouldn't be surprised that can't be found on pfSense, a firewall.
A FreeBSD dev station, yeah, of course.
Look here.

@jarlel said in dtrace command to analyze file modification:

I am trying to find a way to detect changes

An idea :
The file your interested in, change the owner and or the read write execute flags.
Make it read only for everybody.
What will happens now ... will the process that actually updates = writes, will it cash ? complain ?
FreeRadius has some pretty extensive logging : just stop / kill it in the GUI, and then on the console (or SSH) access, fire it up :

radiusd -X

If a process fails, freeradius or some other process, you should see it complaining - in the logs of course.