modFileAttr

Edit online

The modFileAttr event producer monitors for modifications to the attributes of a file.

Overview

The modFileAttr event producer resides under the fs directory and monitors for modifications to the attributes of a file or directory (mode, ownership and ACLs). The following vnode operations are monitored: vnop_setattr() (only for V_OWN and V_MODE operations), vnop_setacl(), vnop_setxacl(), vnop_remove(), vnop_rename() and vnop_rmdir().

Files or directories may not be monitored if:

  • They are in a remote file system
  • They are in file system of type ahafs, procfs or namefs
  • They reside under a directory which ends with an AIX® Event Infrastructure extension (.mon, .list, .monFactory)
  • Monitor files with a full path name larger than MAXPATHLEN in the AIX Event Infrastructure pseudo file system cannot be monitored.
Capabilities
AHAFS_THRESHOLD_STATE

AHAFS_STKTRACE_AVAILABLE

AHAFS_REMOTE_EVENT_ENABLED
Return codes

The modFileAttr event producer uses return codes which are defined in <sys/ahafs_evProds.h>.

These return codes are used to indicate how the contents of the monitored directory were modified:

AHAFS_MODFILEATTR_UNMOUNT
The filesystem containing the monitored file or directory was unmounted. This is an unavailable event.
AHAFS_MODFILEATTR_REMOVE
The monitored file or directory has been removed. This is an unavailable event.
AHAFS_MODFILEATTR_RENAME
The monitored file or directory has been renamed. This is an unavailable event.
AHAFS_MODFILEATTR_OVERMOUNT
The monitored file or directory has been over mounted. This is an unavailable event.
AHAFS_MODFILEATTR_SETACL
The ACLs of the monitored file or directory were modified.
AHAFS_MODFILEATTR_SETOWN
The ownership of the monitored file or directory was modified.
AHAFS_MODFILEATTR_SETMODE
The mode of the monitored file or directory was modified.
Event producer message

This event producer does not pass any messages as part of its event data.

Acceptable monitor files

To monitor for file modifications, a monitor file with the same path as the file you wish to monitor should be created under the modFileAttr.monFactory directory. For example, to monitor /etc/passwd, the monitor file /aha/fs/modFileAttr.monFactory/etc/passwd.mon would be used.

Example event data

The following event data was generated from a process changing the mode of a monitored file. This is the output seen with an INFO_LVL of 3:

BEGIN_EVENT_INFO
TIME_tvsec=1291994430
TIME_tvnsec=760097298
SEQUENCE_NUM=0
PID=5767216
UID=0
UID_LOGIN=0
GID=0
PROG_NAME=chmod
RC_FROM_EVPROD=1010
STACK_TRACE
ahafs_evprods+70C
aha_process_attr+120
vnop_setattr+21C
vsetattr@AF13_1+20
setnameattr+B4
chmod+110
.svc_instr
change+3C8
main+190
__start+68
END_EVENT_INFO