From: Ryan Butler <rbutler@adiis.net>
To: Ben Breuninger <benb@uncontrolled.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: real-time file monitoring at the kernel level
Date: Thu, 12 Apr 2001 15:17:42 -0500 [thread overview]
Message-ID: <3AD60D66.7010907@adiis.net> (raw)
In-Reply-To: <Pine.BSO.4.33.0104111117130.6048-100000@unf.uncontrolled.org> <3AD532EC.366DDC4C@opersys.com>
you might check out fam and imon (fam is userspace, imon is a kernel patch).
Both are open source SGI tools, imon is the inode monitor.
Both can be found at http://oss.sgi.com
>Hello,
>
>I was wondering if anyone has a patch, or is working on something for what
>im looking for, or if they are interested in an idea i have (forgive me if
>this is someone elses idea, ill give credit to them), for file monitoring
>at the kernel level.
>I have put up a brief explanation of what im looking for at
>http://flog.uncontrolled.org/, but in a nutshell, it is this:
>
>a kernel patch (or module) that would allow me to have, say, /proc/flog,
>which shows real-time file monitoring information, which could be tail
>-f'd like so:
>
>root@server~# tail -f /proc/flog
>modify: root "/var/log/auth.log" 20000410150229
>access: root "/etc/passwd" 20000410150324
>modify: root "/etc/passwd" 20000410150441
>remove: root "/var/log/auth.log" 20000410150502
>create: root "/usr/bin/.. /" 20000410150534
>create: root "/usr/bin/.. /backdoor" 20000410150627
>modify: bob "/home/bob/mailbox" 20000410150854
>modify: root "/var/www/htdocs/index.html" 20000410150927
>
>the above would describe a theoretical breakin from a hacker, which i
>believe would be extremely useful in intrusion detection. My idea of this
>is further outlined at http://flog.uncontrolled.org/, including
>theoretical usage, practice, description, etc.
>The reason i ask the linux-kernel community is my coding ability does not
>allow me to hack at the kernel, and so i would need help with this, or any
>other information that would point me in the right direction that im
>looking for.
>
>If someone is interested in this, or has any information whatsoever,
>please let me know!
>
>thanks,
>benb@uncontrolled.org
>
>PS: im not looking for LIDS
>
next prev parent reply other threads:[~2001-04-12 20:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-04-11 11:19 real-time file monitoring at the kernel level Ben Breuninger
2001-04-12 4:45 ` Karim Yaghmour
2001-04-12 20:17 ` Ryan Butler [this message]
-- strict thread matches above, loose matches on Subject: below --
2001-04-11 16:55 Jon Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3AD60D66.7010907@adiis.net \
--to=rbutler@adiis.net \
--cc=benb@uncontrolled.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.