Hi there,
I'm looking for a file monitor for Linux, basically like filemon
(http://www.sysinternals.com/Utilities/Filemon.html) for Windows. But
it looks like filemon for Linux has been discontinued.
I looked into dnotify but it was not what I'm looking for. I want a
monitor program that can intercept all file access of any process that
satisfy a given filter. Is there a program? I searched on Google but
had no luck.
Thanks,
Wei
Wei Hu wrote:
> I looked into dnotify but it was not what I'm looking for. I want a
> monitor program that can intercept all file access of any process that
> satisfy a given filter. Is there a program? I searched on Google but
> had no luck.
dnotify has been succeeded by inotify. check the link below:
http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README
./hareesh
Thanks for the information.
I understand inotify is a replacement for dnotify.
But I still don't get the advantages of it.
What kind of events can I watch?
On 2/24/06, Hareesh Nagarajan <[email protected]> wrote:
> Wei Hu wrote:
> > I looked into dnotify but it was not what I'm looking for. I want a
> > monitor program that can intercept all file access of any process that
> > satisfy a given filter. Is there a program? I searched on Google but
> > had no luck.
>
> dnotify has been succeeded by inotify. check the link below:
> http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README
>
> ./hareesh
>
El Fri, 24 Feb 2006 02:06:27 -0600,
Hareesh Nagarajan <[email protected]> escribi?:
> dnotify has been succeeded by inotify. check the link below:
> http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README
IIRC, inotify is not the best thing for examining system-wide events.
Monitoring of directories is not recursive (neither it should, i think)
so to examine the whole system you would need to need thousands of
watches.
>
> It looks to me like you could use an LD_PRELOAD'ed library to monitor
> such events?
That's a good idea.
Is there an existing tool, or do I need to write a system call wrapper?
>
> Alternatively, consider something like the honeynet monitoring kernel
> monitor module, perhaps.
Could you give more information here?
I'm not familiar with honeynet, thanks.
>
> Rogan
>
Diego Calleja wrote:
> El Fri, 24 Feb 2006 02:06:27 -0600,
> Hareesh Nagarajan <[email protected]> escribi?:
>
>
>> dnotify has been succeeded by inotify. check the link below:
>> http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README
>
> IIRC, inotify is not the best thing for examining system-wide events.
> Monitoring of directories is not recursive (neither it should, i think)
> so to examine the whole system you would need to need thousands of
> watches.
Surely.
But if we want to keep a track of all the files that are opened, read,
written or deleted (much like filemon; ``Filemon's timestamping feature
will show you precisely when every open, read, write or delete, happens,
and its status column tells you the outcome."), we can write a simple
patch that makes a note of these events on the VFS layer, and then we
could export this information to userspace, via relayfs. It wouldn't be
too hard to code a relatively efficient implementation.
Hareesh
Yeah, that's basically what I'm looking for.
So is it correct that I can keep track of all the actions as inotify events?
> But if we want to keep a track of all the files that are opened, read,
> written or deleted (much like filemon; ``Filemon's timestamping feature
> will show you precisely when every open, read, write or delete, happens,
> and its status column tells you the outcome."), we can write a simple
> patch that makes a note of these events on the VFS layer, and then we
> could export this information to userspace, via relayfs. It wouldn't be
> too hard to code a relatively efficient implementation.
>
> Hareesh
>
In-Reply-To: <[email protected]>
On Fri, 24 Feb 2006 at 11:02:20 -0600, Hareesh Nagarajan wrote:
> But if we want to keep a track of all the files that are opened, read,
> written or deleted (much like filemon; ``Filemon's timestamping feature
> will show you precisely when every open, read, write or delete, happens,
> and its status column tells you the outcome."), we can write a simple
> patch that makes a note of these events on the VFS layer, and then we
> could export this information to userspace, via relayfs. It wouldn't be
> too hard to code a relatively efficient implementation.
Doesn't auditing do all this?
I have Fedora Core 4 installed and it comes with the 'audit' RPM.
--
Chuck
"Equations are the Devil's sentences." --Stephen Colbert
Wei Hu wrote:
> Yeah, that's basically what I'm looking for.
> So is it correct that I can keep track of all the actions as inotify events?
Yes, you can. I just looked at the defn of sys_open and I see that
fsnotify_open(f->f_dentry);
gets called, which internally calls:
inotify_dentry_parent_queue_event(...) and,
inotify_inode_queue_event(...)
Do check out inotify. The same applies to other generic operations on
the VFS layer.
Hareesh
Chuck Ebbert wrote:
> In-Reply-To: <[email protected]>
>
> On Fri, 24 Feb 2006 at 11:02:20 -0600, Hareesh Nagarajan wrote:
>
>> But if we want to keep a track of all the files that are opened, read,
>> written or deleted (much like filemon; ``Filemon's timestamping feature
>> will show you precisely when every open, read, write or delete, happens,
>> and its status column tells you the outcome."), we can write a simple
>> patch that makes a note of these events on the VFS layer, and then we
>> could export this information to userspace, via relayfs. It wouldn't be
>> too hard to code a relatively efficient implementation.
>
> Doesn't auditing do all this?
I have no idea about auditing, but I would guess it internally uses inotify.
Hareesh
On Fri, 2006-02-24 at 22:01 -0600, Hareesh Nagarajan wrote:
> Chuck Ebbert wrote:
> > In-Reply-To: <[email protected]>
> >
> > On Fri, 24 Feb 2006 at 11:02:20 -0600, Hareesh Nagarajan wrote:
> >
> >> But if we want to keep a track of all the files that are opened, read,
> >> written or deleted (much like filemon; ``Filemon's timestamping feature
> >> will show you precisely when every open, read, write or delete, happens,
> >> and its status column tells you the outcome."), we can write a simple
> >> patch that makes a note of these events on the VFS layer, and then we
> >> could export this information to userspace, via relayfs. It wouldn't be
> >> too hard to code a relatively efficient implementation.
> >
> > Doesn't auditing do all this?
>
> I have no idea about auditing, but I would guess it internally uses inotify.
it doesn't; it uses the audit framework which, by the way, exactly does
what the proposed patch above would do :)