| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | .\" $NetBSD: filemon.4,v 1.18 2016/01/11 01:45:27 pgoyette Exp $ | | 1 | .\" $NetBSD: filemon.4,v 1.19 2016/01/11 06:21:23 wiz Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2011, Juniper Networks, Inc. | | 3 | .\" Copyright (c) 2011, Juniper Networks, Inc. |
4 | .\" | | 4 | .\" |
5 | .\" Redistribution and use in source and binary forms, with or without | | 5 | .\" Redistribution and use in source and binary forms, with or without |
6 | .\" modification, are permitted provided that the following conditions | | 6 | .\" modification, are permitted provided that the following conditions |
7 | .\" are met: | | 7 | .\" are met: |
8 | .\" 1. Redistributions of source code must retain the above copyright | | 8 | .\" 1. Redistributions of source code must retain the above copyright |
9 | .\" notice, this list of conditions and the following disclaimer. | | 9 | .\" notice, this list of conditions and the following disclaimer. |
10 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 10 | .\" 2. Redistributions in binary form must reproduce the above copyright |
11 | .\" notice, this list of conditions and the following disclaimer in the | | 11 | .\" notice, this list of conditions and the following disclaimer in the |
12 | .\" documentation and/or other materials provided with the distribution. | | 12 | .\" documentation and/or other materials provided with the distribution. |
13 | .\" | | 13 | .\" |
14 | .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | | 14 | .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| @@ -144,27 +144,27 @@ for read or read-write. | | | @@ -144,27 +144,27 @@ for read or read-write. |
144 | for writing or read-write. | | 144 | for writing or read-write. |
145 | .It Dv X | | 145 | .It Dv X |
146 | .Xr exit 3 ; | | 146 | .Xr exit 3 ; |
147 | .Ar data | | 147 | .Ar data |
148 | is the exit status. | | 148 | is the exit status. |
149 | .It Dv V | | 149 | .It Dv V |
150 | indicates the version of | | 150 | indicates the version of |
151 | .Nm . | | 151 | .Nm . |
152 | .El | | 152 | .El |
153 | .Pp | | 153 | .Pp |
154 | A | | 154 | A |
155 | .Nm | | 155 | .Nm |
156 | instance is created by opening | | 156 | instance is created by opening |
157 | .Dv /dev/filemon . | | 157 | .Pa /dev/filemon . |
158 | Then use | | 158 | Then use |
159 | .Fn ioctl filemon_fd FILEMON_SET_PID &pid | | 159 | .Fn ioctl filemon_fd FILEMON_SET_PID &pid |
160 | to identify the target process to monitor, and | | 160 | to identify the target process to monitor, and |
161 | .Fn ioctl filemon_fd FILEMON_SET_FD &output_fd | | 161 | .Fn ioctl filemon_fd FILEMON_SET_FD &output_fd |
162 | to direct the event log to an already-opened output file. | | 162 | to direct the event log to an already-opened output file. |
163 | .Sh FILES | | 163 | .Sh FILES |
164 | .Bd -literal | | 164 | .Bd -literal |
165 | /dev/filemon | | 165 | /dev/filemon |
166 | .Ed | | 166 | .Ed |
167 | .Sh EXAMPLES | | 167 | .Sh EXAMPLES |
168 | The following example demonstrates the basic usage of | | 168 | The following example demonstrates the basic usage of |
169 | .Nm : | | 169 | .Nm : |
170 | .Pp | | 170 | .Pp |
| @@ -209,38 +209,40 @@ The output of | | | @@ -209,38 +209,40 @@ The output of |
209 | .Nm | | 209 | .Nm |
210 | is intended to be simple to parse. | | 210 | is intended to be simple to parse. |
211 | It is possible to achieve almost equivalent results with | | 211 | It is possible to achieve almost equivalent results with |
212 | .Xr dtrace 1 | | 212 | .Xr dtrace 1 |
213 | though on many systems this requires elevated privileges. | | 213 | though on many systems this requires elevated privileges. |
214 | Also, | | 214 | Also, |
215 | .Xr ktrace 1 | | 215 | .Xr ktrace 1 |
216 | can capture similar data, but records failed system calls as well as | | 216 | can capture similar data, but records failed system calls as well as |
217 | successful, and is thus more complex to post-process. | | 217 | successful, and is thus more complex to post-process. |
218 | .Sh HISTORY | | 218 | .Sh HISTORY |
219 | .Nm | | 219 | .Nm |
220 | was contributed by Juniper Networks. | | 220 | was contributed by Juniper Networks. |
221 | .Sh SECURITY CONSIDERATIONS | | 221 | .Sh SECURITY CONSIDERATIONS |
222 | If the monitored process exits, and its pid gets reused, filemon will | | 222 | If the monitored process exits, and its pid gets reused, |
223 | continue to report events for the new process (and its descendants) | | 223 | .Nm |
224 | without any authorization checks. | | 224 | will continue to report events for the new process (and its |
| | | 225 | descendants) without any authorization checks. |
225 | .Pp | | 226 | .Pp |
226 | Monitoring of a process enables the target process to write to the | | 227 | Monitoring of a process enables the target process to write to the |
227 | tracking process's file descriptor. | | 228 | tracking process's file descriptor. |
228 | .Sh RESTRICTIONS | | 229 | .Sh RESTRICTIONS |
229 | The | | 230 | The |
230 | .Nm | | 231 | .Nm |
231 | facility can only be used to track processes running in the system's | | 232 | facility can only be used to track processes running in the system's |
232 | native emulation. | | 233 | native emulation. |
233 | Neither processes using any of the | | 234 | Neither processes using any of the |
234 | .Dv COMPAT_xxx | | 235 | .Dv COMPAT_xxx |
235 | compatibility layers nor | | 236 | compatibility layers nor |
236 | any descendants of such processes can be tracked. | | 237 | any descendants of such processes can be tracked. |
237 | .Pp | | 238 | .Pp |
238 | If two processes are monitored, and one is a descendant of the other, events | | 239 | If two processes are monitored, and one is a descendant of the other, events |
239 | related to the descendant process and its further descendants are delivered | | 240 | related to the descendant process and its further descendants are delivered |
240 | only to the descendant process's monitor. | | 241 | only to the descendant process's monitor. |
241 | If a process is being monitored by two instances of filemon, events will be | | 242 | If a process is being monitored by two instances of |
242 | delivered only to the first instance created (when | | 243 | .Nm , |
| | | 244 | events will be delivered only to the first instance created (when |
243 | .Pa /dev/filemon | | 245 | .Pa /dev/filemon |
244 | was opened), regardless of the order in which the monitoring processes | | 246 | was opened), regardless of the order in which the monitoring processes |
245 | called | | 247 | called |
246 | .Fn ioctl fd FILEMON_SET_PID pid . | | 248 | .Fn ioctl fd FILEMON_SET_PID pid . |