Date: Mon, 28 Oct 2002 10:31:41 -0500 (EST) From: Adrian Filipi-Martin <adrian+freebsd-audit@ubergeeks.com> To: Juli Mallett <jmallett@FreeBSD.ORG> Cc: Maxim Sobolev <sobomax@FreeBSD.ORG>, Nate Lawson <nate@root.org>, <jlemon@FreeBSD.ORG>, <hackers@FreeBSD.ORG>, <audit@FreeBSD.ORG> Subject: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC Message-ID: <20021028102544.O64046-100000@lorax.ubergeeks.com> In-Reply-To: <20021027010429.A90908@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Oct 2002, Juli Mallett wrote:
> * De: Maxim Sobolev <sobomax@FreeBSD.ORG> [ Data: 2002-10-27 ]
> [ Subjecte: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC ]
> > On Sat, Oct 26, 2002 at 06:09:31PM -0700, Nate Lawson wrote:
> > > On Thu, 24 Oct 2002, Maxim Sobolev wrote:
> > > > Please review the patch, which adds two new types of events -
> > > > NOTE_STARTEXEC and NOTE_STOPEXEC, that could be used to get
> > > > notification when the image starts or stops executing. For example, it
> > > > could be used to monitor that a daemon is up and running and notify
> > > > administrator when for some reason in exits. I am running this code
> > > > for more than a year now without any problems.
> > > >
> > > > Any comments and suggestions are welcome.
> > >
> > > Couldn't this just be done by init(8) and /etc/ttys? Or inetd? If you
> > > want to write your own, couldn't you use waitpid()? Or a kevent() of
> > > EVFILT_PROC with NOTE_EXIT/NOTE_FORK? I'm not sure I see the need for
> > > this.
> >
> > EVFILT_PROC operates on pids, while NOTE_{START,STOP}EXEC operate on
> > vnodes - it is the main difference. Currently, you can't reliably
> > get a notification when kernes started executing some arbitrary
> > executable from your fs.
>
> This is not a job for the kernel, I don't think. Implement it in userland
> in terms of having the daemon write to a pidfile at startup, and have SIGUSR1
> make it tell the sender it's alive (using my sigq stuff this is trivial, just
> send SIGUSR2 back), and periodically read the pidfile and try to communciate
> with the daemon, and respawn it if it fails. This could be racey if done
> poorly. However if you want this for *any* executable, rather than just
> "some arbitrary executable" rather than some specific job, then while I wonder
> how useful it is in a generic concept, the kq solution might be more
> reasonable.
>
> Juli Mallett <jmallett@FreeBSD.org> | FreeBSD: The Power To Serve
Monitoring process health isn't nearly as intersting as being able
to track system statistics for IDS purposes. STOP/START_EXEC tracking
would make it much easier to profile a running system and then generate a
statistical profile of what should normally be running. This cannot be
accurately done outside the kernel.
Adrian
--
[ adrian@ubergeeks.com ]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021028102544.O64046-100000>