Anubhav Gain

Security Software Engineer · XDR/OXDR Architect · Rust & eBPF · 222+ Research Citations

Tags

/ 2fa ab aboutme access-control access-management active-directory actix-web ad-blocking administration admission-control adr advanced-devops advanced-threats agile ai AI AI Agents AI Development ai-cybersecurity ai-detection ai-integration ai-powered-scoring AI-security ai-threat-detection ai-threat-hunting ai-translation airtable alert-consolidation alert-fatigue alerting amd-sev amplitude amtd analysis analytics Android anomaly-detection ansible api API api-client api-design api-gateway api-management api-security app-control-for-business apparmor apple Apple-Intelligence Apple-security applescript application-security applications applocker APT-attacks apt-detection arch-linux architecture Architecture architecture-patterns argocd arm-trustzone asgi assemblyscript astro-ai async Async athena Attack-Mitigation attestation audio auth0 authentication Authentication authorization automated-monitoring automated-response automation autoscaling aws AWS awslambda aya Aya azure azure-ad backend background-services backstage backup Backup bare-metal baseline-analysis bash basics bcc behavioral-analysis behavioral-analytics benchmarking Best Practices best-practices bgp bind-mounts biometric-security blacklist blockchain blog-platforms Blogging blue-green blue-team bluechi bochs borrowing bot-management Bot-Management boto3 bpftrace broadcom browser build build-configuration busybox byzantine c caddy calico canary career Career cdc cdn CDN centos certificate-authority certificates chartmuseum chatbot chatops check_wmi_plus choreography chrome ci-cd CI/CD cicd cilium circuit-breaker cis cis-benchmark cka Claude claude-3-opus claude-code cleanup cli cli-tools clickhouse cloud cloud-native cloud-providers cloud-security Cloud-Storage cloudflare Cloudflare cloudflared cloudrun cluster cluster-deployment cluster-health cluster-management cluster-setup cmd cni cocktails code management code-generation collaboration communication communication-patterns community compensation compliance compliance-automation compliance-reporting Compose compression conference-translation confidential-computing configmaps configuration configuration-management consensus consul container Container Orchestration container-management container-monitoring container-orchestration container-runtime container-security containerization Containerization containers Containers content-automation content-generation contextual-translation continuous-improvement contract-testing controller controller-manager cookiecutter cooking coredns coreos Coroutines correlation correlation-rules cors cosmopolitan Cost Optimization cost-optimization Cost-Optimization cpp cqrs crd cri-o cronjob cronjobs cross-account cross-cloud Cross-Platform cryptography csharp css custom linux custom-decoders customization CVE-2025-31200 CVE-2025-31201 cybersec cybersecurity Cybersecurity d1-database D1-Database daemonsets dashboard dashboards data-analytics data-architecture data-channels data-consistency data-fetcher data-governance data-management data-masking data-migration data-pipelines data-prepper data-processing data-protection data-recovery database DataBinding datasette dba ddos-protection DDoS-Protection debian debugging decoders deepl-voice deepseek-r1 defense defensive-security Demo deno dep deployment Deployment design-patterns desktop-development detection detection-accuracy Developer Tools developer-portal developer-portals development devops DevOps devops-culture devops-journey devsecops DevSecOps devtools devtron diagrams digitalocean disaster-recovery discord discovery disk-encryption disk-provisioning Distributed Systems distributed-security distributed-systems distributed-transactions distro distrobox django dkim dmarc dnf dns docker Docker document-processing documentation domain-administration domain-driven-design dotnet duckdb dx-operational-observability dynamodb ebpf eBPF ec2 ECS edge-computing Edge-Database edge-devices edge-functions edge-security edr elastic-alternative elasticsearch electron elk-stack email email-automation embedded linux embedded-systems encryption endpoint-protection endpoint-security Engineering enterprise Enterprise Enterprise Security enterprise-architecture enterprise-clustering enterprise-governance enterprise-integration enterprise-security environment-variables envoy error-handling etcd ETL eureka event-driven event-driven-architecture event-sourcing event-streaming Example exif exploit-mitigation exploit-prevention exploitation falco Fargate fault-tolerance feature-flags federation fedora fedora-coreos ffmpeg FIDO2 file-integrity file-rule-levels file-transfer filebeat FileVault fips fips-203 firefox firewall Flow fluentbit flux fly forensics full-stack functions fundamentals future-translation gainsaheb Gatekeeper gcp gcs gemini-2.5 general gis git github github-actions gitlab gitops GitOps Global-Distribution gmail go golang google google-authenticator google-cloud google-sheets googlecloud governance gpt gpt-4o gpt3 grafana graph-api graphical interface graphql GraphQL group-policy grpc gui guide hacker-news ham-radio hardening hardware hardware-acceleration hardware-security hashicorp health-probes helm helm-charts heroku high-availability high-risk-security Hilt hirte history homebrew homelab hpa hsm html http http3 https httpx hugo hybrid-cloud hybrid-quantum-classical hypothesis-driven iac iam icinga ics identity identity management identity-governance identity-management ignition imagemagick incident-response index index-management indexer industrial-iot industrial-security Infopercept infrastructure Infrastructure infrastructure-as-code ingress insider-threats installation instrumentation integration Integration Testing integration-testing intel-sgx internet interoperability introduction intrusion-detection inventory Invinsense ios iOS-development iOS-security iot isa istio iterators jamstack jasmin java javascript JavaScript jenkins jest Jetpack Jetpack Compose jinja jq json jsonpath jupyter jwt JWT k8s kafka kannel kaslr keepalive kernel Kernel kernel-security key-management keycloak KIND kiota kms Kotlin kprobe kpti kubeadm kubectl kubernetes Kubernetes kubernetes-security kustomize kyber labels lambda language-processing large-language-models lattice-cryptography launchd learning Legacy Code legacy-systems libvirt lightsail lightweight distro linkding linkerd linux Linux linux development linux from scratch linux kernel linux kernel compilation linux system linux-kernel linux-security LiveData liveness lkl llm LLM llm-translation llms load-testing Lockdown-Mode log log-analysis log-ingestion log-management log-parsing logging logs low-latency lsm Machine Learning machine-learning machine-translation machinelearning macos macOS macOS-development macOS-security malware malware-analysis malware-detection malware-protection management manifest maps Markdown markdown master-keys mastodon mdm Media-Storage mediawiki Memory Management memory-management memory-safety mermaid message-queue messaging metrics metrics-server MFA mfa micro-segmentation micromdm microservices Microservices microsoft microsoft-copilot microsoft-graph microsoft-kiota microwindows midjourney migration Migration Migrations minimalistic os minio misc mitigation mitre-attack ml-integration ml-kem mobile-device-management mobile-security monitoring Monitoring morphisec mtls Multi-Agent Systems multi-cloud multi-cluster multi-tenancy multi-tenant multilingual-blogs multimodal-ai multipass musl MVVM n8n nagios Namespaces nano-x nats Navigation netdata netflix Network network-access network-correlation network-security networking Networking neural-machine-translation neural-networks neuvector nextjs-ai nfs nginx nist-standards no-code node node-affinity node-exporter Node.js nodejs noisy-neighbors nosql notifications npm NSO-group oauth oauth2 OAuth2 object-storage Object-Storage objective-c observability observable observable-plot oci-runtime ocr offensive-security oidc open source open-xdr openai openapi opensearch openssh OpenSSL openssl opentelemetry openvpn operating system operating-systems operators optimization Optimization oracle oracle23c orchestration organizational-charts ot-ics overture-maps owasp ownership OXDR P2P p2p package-management packaging packet-capture packet-processing pact pages pagination partitioning passkeys passwordless patterns pbft pdf peer-to-peer Pegasus-protection performance Performance performance-benchmarking performance-optimization permissions persistentvolumeclaims persistentvolumes personalization php pihole pipeline pixelmator pixie pkcs11 PKI pki Platform Development platform-engineering playwright pluggy plugin plugins pmp pod-security podman pods polyglot-persistence post-quantum-cryptography postgresql powershell presenting pricing priority-management privacy-controls privacy-engineering privacy-protection Private-Cloud-Compute process-exporter processor production Production production-deployment productivity programming project-management prometheus protocols proxy purpleair pyodide pypi pytest python qemu quadlet quadlets quality-assurance quantum-acceleration quantum-ai quantum-algorithms quantum-computing quantum-nlp quantum-resistance quantum-resistant quarto quic r2 R2 r2-storage rabbitmq raft ransomware-defense rate-limiting Rate-Limiting rbac RBAC rdp react readiness readthedocs real-time real-time-analytics real-time-translation red-team reddit Refactoring reference regulatory-compliance remote-access ReplicaSet repository management resilience resilience4j resource-management resources REST rest-api restore risc-v risk-based-alerting rocky-linux roles rolling-updates Room rootkit rootless rootless-containers routing rpki rpm-ostree rsyslog rule-engine rule-options rules runtime-protection runtime-security rust Rust s3 s3-compatible S3-Compatible safari safety-critical saga-pattern sandboxed-execution sandboxing scalability sched_ext scheduler scheduling scim screen-sharing sdk-development sdk-generation sdlc seamlessm4t search search-engine seccomp secrets secrets-management secure-boot secure-coding secure-element secure-enclave secure-enclaves security Security Security Platform security-analytics security-architecture security-automation security-commands security-implementation security-monitoring security-orchestration security-patches security-platform security-runtimes security-systems security-testing security-tools security-updates selenium selinux seo seo-optimization server-setup serverless Serverless service mesh service-accounts service-discovery service-mesh service-workers Services shell shell-configuration shell-scripting shellcode shot-scraper siem SIEM signaling sigstore simultaneous-interpretation single-node sinkhole site-speed slack slsa smack smallstep smpp SMS sms-gateway smtp snapshot soar software development software-attestations software-testing spatialite speech-translation spf sphinx spiffe spire spreadsheet spring-boot spyware-protection sql SQL sqlite SQLite squarespace sre ssh ssl SSL/TLS starship State Management StateFlow static-sites stepca storage storageclass streaming STUN supply-chain-security svg swift sysadmin sysmon System Architecture system services system-administration system-calls system-design system-extension system-integrity system-maintenance system-programming systemd systems-programming tailscale taints targeted-attacks TCC tcp team-collaboration telegram terminal terminal-services terraform tesseract testcontainers testing Testing tetragon textract threading threat-detection threat-hunting threat-intelligence threat-modeling threat-prevention threat-remediation threshold-cryptography tiktok tinyemu tls TLS toast-notifications token-flow tokio Tokio tolerations tomcat tools tpm tracee tracing Traffic-Analysis troubleshooting trusted-execution trusted-execution-environments trusted-publishing tunnel tunneling tunnels turing TURN tutorial twitter typescript ubuntu udp ui UI UI Testing uninstallation unisolation Unit Testing unix utilities upgrade uprobes usb-control use-cases user-experience user-monitoring user-session utm-stack valtown vault vega vendor-lock-in version control version-control Video video video-chat ViewModel vim violation-detection virtualization visualization vmware volumes vpn vpn-replacement vscode vulnerabilities vulnerability vulnerability-analysis vulnerability-detection vulnerability-scanning waf WAF wasi wasm wazuh Wazuh wdac web Web Development web-components web-development web-filtering web-infrastructure web-performance web-security Web-Security web-servers webassembly webauthn WebAuthn webhooks webrtc WebRTC websockets white-labeling wikipedia windows Windows Services windows-10-iot windows-api windows-monitoring windows-security winexe winrt wmi wordpress worker-nodes workers Workers workflow workflow-automation workload-identity xdp XDP xdr XDR xdr-platform xdr-testing xpc xprotect XProtect yaml youtube zeit-now zero-copy zero-day zero-trust zsh ztna

248 words

1 minute

Seeing files opened by a process using opensnoop

Anubhav Gain

2024-05-05

macos

/

macos

/

git

/

database

/

web

/

cli

Seeing files opened by a process using opensnoop#

I decided to try out atuin, a shell extension that writes your history to a SQLite database.

It’s really neat. I wanted to see where the SQLite database lived on disk so I could poke around inside it with Datasette.

The documentation didn’t mention the location of the database file, so I decided to figure that out myself.

I worked out a recipe using opensnoop, which comes pre-installed on macOS.

In one terminal window, run this:

1
sudo opensnoop 2>/dev/null | grep atuin

Then run the atuin history command in another terminal - and the files that it accesses will be dumped out by opensnoop:

1
  501  51725 atuin          4 /dev/dtracehelper
2
  501  51725 atuin         -1 /etc/.mdns_debug
3
  501  51725 atuin          4 /usr/local/Cellar/atuin/0.9.1/bin
4
  501  51725 atuin         -1 /usr/local/Cellar/atuin/0.9.1/bin/Info.plist
5
  501  51725 atuin          4 /dev/autofs_nowait
6
  501  51725 atuin          5 /Users/simon/.CFUserTextEncoding
7
  501  51725 atuin          4 /dev/autofs_nowait
8
  501  51725 atuin          5 /Users/simon/.CFUserTextEncoding
9
  501  51725 atuin         10 .
10
  501  51725 atuin         10 /Users/simon/.config/atuin/config.toml
11
  501  51725 atuin         10 /Users/simon/.local/share/atuin/history.db
12
  501  51725 atuin         11 /Users/simon/.local/share/atuin/history.db-wal
13
  501  51725 atuin         12 /Users/simon/.local/share/atuin/history.db-shm

Then I ran open /Users/simon/.local/share/atuin/history.db (because I have Datasette Desktop installed) and could start exploring that database:

Screenshot of Datasette showing the history table from the atuin database

The 2>/dev/null bit redirects standard error for opensnoop to /dev/null - without this it spews out a noisy volume of dtrace: error ... warnings.

Alternative solutions#

My Twitter thread asking about this resulted in a bunch of leads that I’ve not fully investigated yet, including:

FileMonitor
FSMonitor
iosnoop
fs_usage
sudo dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'
strace (Linux, not macOS)