0

I'm trying to run a script that runs opensnoop, outputs the data to a log and kills the process after 15 minutes. However, when the script ends, the log file continues to grow, suggesting that opensnoop is not actually shut down.

It also prompts the user a few times for their password. This is in an attempt to narrow down a problem we've been having on Macs on our network:

#!/bin/sh

filename=~/Desktop/$(hostname)-$(date +"%m-%d-%Y").log

osascript -e 'display dialog "Please enter your password in the terminal window that just opened. The terminal window will not show you entering anything. This is expected behavior."'

sudo opensnoop -v -n apptolog >> $filename & sleep 10

osascript -e 'display dialog "Please enter your password again in the terminal window."'

kill $(jobs -p) >> /dev/null

sleep 5

textblock="The VShield log has been created. Please email <my e-mail> with the subject OpenSnoop logs for Macos and attach $filename."

osascript -e "display dialog \"$textblock\""

Using the above script, and adding jobs -p references, it looks like the command name is just "sudo" and doesn't give the actual command name "opensnoop".

What am I doing wrong here?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
takieda
  • 3
  • 2

1 Answers1

0

since you know exactly the name of your file. Make a killall opensnoop

All processes with the name opensnoop will be deleted.

Yug Normand Ngangue
  • 181
  • 1
  • 11
  • 1
    Unfortunately, when run as above, it doesn't show up as opensnoop in ps. The best I can tell is that it opens two processes, one called dtrace (opensnoop is based on dtrace) and one called sudo. Unfortunately, there are cases where dtrace and or sudo might be open on a user's computer so I can't killall dtrace. The only thing I can do at that point is try to killall sudo and dtrace for the current tty given by "who am i" but I don't know how to run that command. – takieda Sep 21 '21 at 13:18
  • Also, with further testing, if I kill sudo, then the log file continues to expand, but if I kill dtrace, it stops, so the actual process to kill seems to be dtrace, but the sudo command remains in memory. – takieda Sep 21 '21 at 14:40
  • Your sudo command should not be a problem. It is a command that allows you to become a superuser. So I think a killall dtrace is good. – Yug Normand Ngangue Sep 22 '21 at 12:43
  • I can see that you run opensnoop as a superuser. So you have to run it as a session user. Do not set sudo, then when you do a dtrace killall. It will work for exactly the current user. – Yug Normand Ngangue Sep 22 '21 at 12:52