After loading this kernel module you can monitor all file system alterations by simply typing:
It’s original purpose was to feed a daemon with data but nevertheless I found it to be even more useful as a standalone project.
- Kernel 2.6 with Enabled Support for Security Modules. The following should be sufficient:
[EDIT]Since someone asked me why this is needed here a short explanation: In 2.4. it was possible to overwrite entries of the syscall table. This is necessary to enable the filesystem monitoring. In 2.6. one has to use the security hooks to get the same functionality because the syscall table is no longer exported.
Note: The default behavour of the module is to monitor all file – adding, moving, removing, renaming operations. If you also want to monitor file content modifications you have to uncomment the following line inÂ fsysmon.c:
|// #define INODE_ACCESS (optionally)|
Building the module:
tar zxvf fsysmon-0.1.tar.gz
make SUBDIRS=/path_to_archive/fsysmon-0.1/module/ modules
The module creates a device calledÂ /dev/fsysmon.
In case you are using UDEV you have to create the device yourself:
Find out it’s major number:
|grep fsysmon /proc/devices
Create the device:
|mknod /dev/fsysmon c 253 1|
To monitor the filesystem alterations you can simply type:
This will output a line everytime something was modified. The first character of the line determines its meaning, the rest consists of the pathname of the corresponding file without the first character (which is ‘/’ anyways).
Semantics of the first character:
a: file was added
r: file was removed
u: file content was updated
Output Line: ahome/user/fileXY
Meaning: fileXY was just created in directory /home/user
Caution: It is important to unload the module if you don’t read fromÂ /dev/fsysmon otherwise the module will eat up all your memory after a while.
If you continuously read from the device you can leave it running as long as you want.