ErmineSI: TRACE_OPEN Syscall Interceptor

TRACE_OPEN Syscall Interceptor

Download Trial Version

TRACE_OPEN Syscall Interceptor shows all files application tried to open. Both open and openat syscalls traced.

ENVIRONMENT VARIABLES

SI_OUT_FILE - file for interceptor output, default - stderr

EXAMPLES

EXAMPLE 1

Let's see what going on inside ls command.

Run ls under trace_open syscall interceptor:

[si@localhost]$ trace_open.si ls -ld /
trace_open.si: open("/usr/bin/ls") = 3
trace_open.si: open("/lib64/ld-linux-x86-64.so.2") = 4
trace_open.si: open("/etc/ld.so.cache") = 3
trace_open.si: open("/lib64/libselinux.so.1") = 3
trace_open.si: open("/lib64/libcap.so.2") = 3
trace_open.si: open("/lib64/libc.so.6") = 3
trace_open.si: open("/lib64/libpcre.so.1") = 3
trace_open.si: open("/lib64/libdl.so.2") = 3
trace_open.si: open("/lib64/libattr.so.1") = 3
trace_open.si: open("/lib64/libpthread.so.0") = 3
trace_open.si: open("/usr/lib/locale/locale-archive") = 3
trace_open.si: open("/usr/share/locale/locale.alias") = 3
trace_open.si: open("/usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo") = -1 errno=2 (No such file or directory)
trace_open.si: open("/usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo") = -1 errno=2 (No such file or directory)
trace_open.si: open("/usr/share/locale/en_US/LC_TIME/coreutils.mo") = -1 errno=2 (No such file or directory)
trace_open.si: open("/usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo") = -1 errno=2 (No such file or directory)
trace_open.si: open("/usr/share/locale/en.utf8/LC_TIME/coreutils.mo") = -1 errno=2 (No such file or directory)
trace_open.si: open("/usr/share/locale/en/LC_TIME/coreutils.mo") = -1 errno=2 (No such file or directory)
trace_open.si: open("/usr/lib64/gconv/gconv-modules.cache") = 3
trace_open.si: open("/sys/fs/selinux/mls") = 3
trace_open.si: open("/etc/nsswitch.conf") = 3
trace_open.si: open("/etc/ld.so.cache") = 3
trace_open.si: open("/lib64/libnss_files.so.2") = 3
trace_open.si: open("/etc/passwd") = 3
trace_open.si: open("/etc/group") = 3
trace_open.si: open("/etc/localtime") = 3
dr-xr-xr-x. 24 root root 4096 Mar  9 11:26 /

For comparison run same command under strace:

[si@localhost]$ strace -e open
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 3
open("/sys/fs/selinux/mls", O_RDONLY)   = 3
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
open("/etc/group", O_RDONLY|O_CLOEXEC)  = 3
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
dr-xr-xr-x. 24 root root 4096 Mar  9 11:26 /
+++ exited with 0 +++