From: Karim Yaghmour <karym@opersys.com>
To: Ben Breuninger <benb@uncontrolled.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: real-time file monitoring at the kernel level
Date: Thu, 12 Apr 2001 00:45:32 -0400 [thread overview]
Message-ID: <3AD532EC.366DDC4C@opersys.com> (raw)
In-Reply-To: <Pine.BSO.4.33.0104111117130.6048-100000@unf.uncontrolled.org>
You may want to take a look at the Linux Trace Toolkit which may
be used to do what you ask for.
http://www.opersys.com/LTT
Karim
Ben Breuninger wrote:
>
> Hello,
>
> I was wondering if anyone has a patch, or is working on something for what
> im looking for, or if they are interested in an idea i have (forgive me if
> this is someone elses idea, ill give credit to them), for file monitoring
> at the kernel level.
> I have put up a brief explanation of what im looking for at
> http://flog.uncontrolled.org/, but in a nutshell, it is this:
>
> a kernel patch (or module) that would allow me to have, say, /proc/flog,
> which shows real-time file monitoring information, which could be tail
> -f'd like so:
>
> root@server~# tail -f /proc/flog
> modify: root "/var/log/auth.log" 20000410150229
> access: root "/etc/passwd" 20000410150324
> modify: root "/etc/passwd" 20000410150441
> remove: root "/var/log/auth.log" 20000410150502
> create: root "/usr/bin/.. /" 20000410150534
> create: root "/usr/bin/.. /backdoor" 20000410150627
> modify: bob "/home/bob/mailbox" 20000410150854
> modify: root "/var/www/htdocs/index.html" 20000410150927
>
> the above would describe a theoretical breakin from a hacker, which i
> believe would be extremely useful in intrusion detection. My idea of this
> is further outlined at http://flog.uncontrolled.org/, including
> theoretical usage, practice, description, etc.
> The reason i ask the linux-kernel community is my coding ability does not
> allow me to hack at the kernel, and so i would need help with this, or any
> other information that would point me in the right direction that im
> looking for.
>
> If someone is interested in this, or has any information whatsoever,
> please let me know!
>
> thanks,
> benb@uncontrolled.org
>
> PS: im not looking for LIDS
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
===================================================
Karim Yaghmour
karym@opersys.com
Embedded and Real-Time Linux Expert
===================================================
next prev parent reply other threads:[~2001-04-12 16:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-04-11 11:19 real-time file monitoring at the kernel level Ben Breuninger
2001-04-12 4:45 ` Karim Yaghmour [this message]
2001-04-12 20:17 ` Ryan Butler
-- strict thread matches above, loose matches on Subject: below --
2001-04-11 16:55 Jon Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3AD532EC.366DDC4C@opersys.com \
--to=karym@opersys.com \
--cc=benb@uncontrolled.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.