Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 11 Apr 2001 12:15:49 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 11 Apr 2001 12:15:39 -0400 Received: from uncontrolled.org ([209.134.138.193]:41084 "EHLO unf.uncontrolled.org") by vger.kernel.org with ESMTP id ; Wed, 11 Apr 2001 12:15:29 -0400 Date: Wed, 11 Apr 2001 11:19:31 +0000 (GMT) From: Ben Breuninger To: Subject: real-time file monitoring at the kernel level Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Hello, I was wondering if anyone has a patch, or is working on something for what im looking for, or if they are interested in an idea i have (forgive me if this is someone elses idea, ill give credit to them), for file monitoring at the kernel level. I have put up a brief explanation of what im looking for at http://flog.uncontrolled.org/, but in a nutshell, it is this: a kernel patch (or module) that would allow me to have, say, /proc/flog, which shows real-time file monitoring information, which could be tail -f'd like so: root@server~# tail -f /proc/flog modify: root "/var/log/auth.log" 20000410150229 access: root "/etc/passwd" 20000410150324 modify: root "/etc/passwd" 20000410150441 remove: root "/var/log/auth.log" 20000410150502 create: root "/usr/bin/.. /" 20000410150534 create: root "/usr/bin/.. /backdoor" 20000410150627 modify: bob "/home/bob/mailbox" 20000410150854 modify: root "/var/www/htdocs/index.html" 20000410150927 the above would describe a theoretical breakin from a hacker, which i believe would be extremely useful in intrusion detection. My idea of this is further outlined at http://flog.uncontrolled.org/, including theoretical usage, practice, description, etc. The reason i ask the linux-kernel community is my coding ability does not allow me to hack at the kernel, and so i would need help with this, or any other information that would point me in the right direction that im looking for. If someone is interested in this, or has any information whatsoever, please let me know! thanks, benb@uncontrolled.org PS: im not looking for LIDS - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/