After loading this kernel module you can monitor all file system alterations by simply typing:

Code:
cat /dev/fsysmon


It’s original purpose was to feed a daemon with data but nevertheless I found it to be even more useful as a standalone project.

Download:.
http://www.logic.at/staff/robinson/fsysmon-0.2.tar.gz

Requirements:
- Kernel 2.6 with Enabled Support for Security Modules. The following should be sufficient:

Code:
CONFIG_SECURITY=y


[EDIT]Since someone asked me why this is needed here a short explanation: In 2.4. it was possible to overwrite entries of the syscall table. This is necessary to enable the filesystem monitoring. In 2.6. one has to use the security hooks to get the same functionality because the syscall table is no longer exported.
[/EDIT]

Building:
Note: The default behavour of the module is to monitor all file – adding, moving, removing, renaming operations. If you also want to monitor file content modifications you have to uncomment the following line in fsysmon.c:

Code:
// #define INODE_ACCESS (optionally)


Building the module:

Code:
tar zxvf fsysmon-0.1.tar.gz
cd /usr/src/linux
make SUBDIRS=/path_to_archive/fsysmon-0.1/module/ modules

Loading:

Code:
cd /path_to_archive/fsysmon-0.1/module/
su
insmod ./fsysmon.ko

Usage:
The module creates a device called /dev/fsysmon.
In case you are using UDEV you have to create the device yourself:
Find out it’s major number:

Code:
grep fsysmon /proc/devices
253 fsysmon


Create the device:

Code:
mknod /dev/fsysmon c 253 1

To monitor the filesystem alterations you can simply type:

Code:
cat /dev/fsysmon


This will output a line everytime something was modified. The first character of the line determines its meaning, the rest consists of the pathname of the corresponding file without the first character (which is ‘/’ anyways).

Semantics of the first character:
a: file was added
r: file was removed
u: file content was updated

Example:
Output Line: ahome/user/fileXY
Meaning: fileXY was just created in directory /home/user

Unloading:

Code:
su
rmmod fsysmon


Caution: It is important to unload the module if you don’t read from /dev/fsysmon otherwise the module will eat up all your memory after a while.
If you continuously read from the device you can leave it running as long as you want.

Source: http://forums.gentoo.org/index.php

Post By Editor (2,827 Posts)

Website: →

Connect