This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Get cmd name out of bash


Philipp Michael wrote:
> Sorry, my fault with the missing subject!
> 
> Hi,
>  
> i have a need to log the console inputs to a named pipe. so i checked the
> possibilities via systemtap. i want to get the processcall of the cmd
which
> was typed and send this to named pipe where i can get it with the
syslog-ng
> deamon. my problem now is, that i don`t get the command name like ls,
> ifconfig, or cd...

I'm not sure what you are really trying to do, but I'll give this a
shot.  It probably would help if you would let us know what kernel,
architecture, distro, and systemtap version you are using.

> my little test program (below) shows only: bash (xxxx).... so is there a
> possibility to get the direct command names like the appear in the process
> list (ps -ef) ? can i go into the bash process list?
>  
> probe process.create { printf ("%s(%d) create done (%s)\n", execname(), pid(), argstr) }
>  
> probe process.exec { printf ("%s(%d) exec done (%s)\n", execname(), pid(), argstr) }
>  
> probe timer.ms (60000) {exit() }

The reason why you are only seeing "bash" as the process name is that at
 that point bash is the current process.  Let's walk through the normal
fork/exec logic.

- bash(pid 100) is running, you type "ls" as the bash prompt

- bash(100) forks, creating a new process (pid 101) that is a copy of
itself.  At this point your process.create probe will get hit.

- bash(101) calls exec, passing "/bin/ls" as the filename to exec.  the
process.exec probe gets hit at the beginning of exec, before the exec
actually happens.  So, at this point the process name is still "bash"
(which is why execname() still reports "bash").  As exec continues,
bash's text/data is lost at this point, and replaced by "/bin/ls".  When
exec finishes, execname() would report "/bin/ls".

Here's a somewhat fixed version of your script:

  probe process.exec { printf ("%s(%d) exec\n", filename, pid()) }

  probe timer.ms (60000) {exit() }

I say "somewhat" since it won't log the new exec'ed program's args.

There are more problems here though.  First, the process.stp tapset is
deprecated and is most likely going away.  Second, I'm not sure
systemtap is really the tool for what you appear to be trying to do.  I
think what you really might want to do hear is enable the kernel's
auditing facility, which is already set up to do exec auditing.

If you want to pursue this further, I'd need a better description of
what you are really trying to do.

-- 
David Smith
dsmith@redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]