Looking for a file monitor

Looking for a file monitor

[Wei Hu]

Hi there,

I'm looking for a file monitor for Linux, basically like filemon
(http://www.sysinternals.com/Utilities/Filemon.html) for Windows.  But
it looks like filemon for Linux has been discontinued.

I looked into dnotify but it was not what I'm looking for.  I want a
monitor program that can intercept all file access of any process that
satisfy a given filter.  Is there a program?  I searched on Google but
had no luck.


Thanks,
Wei

Re: Looking for a file monitor

[Hareesh Nagarajan]

Wei Hu wrote:
> I looked into dnotify but it was not what I'm looking for.  I want a
> monitor program that can intercept all file access of any process that
> satisfy a given filter.  Is there a program?  I searched on Google but
> had no luck.

dnotify has been succeeded by inotify. check the link below:
	http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README

./hareesh

Re: Looking for a file monitor

[Wei Hu]

Thanks for the information.
I understand inotify is a replacement for dnotify.
But I still don't get the advantages of it.
What kind of events can I watch?

On 2/24/06, Hareesh Nagarajan <hnagar2@gmail.com> wrote:
> Wei Hu wrote:
> > I looked into dnotify but it was not what I'm looking for.  I want a
> > monitor program that can intercept all file access of any process that
> > satisfy a given filter.  Is there a program?  I searched on Google but
> > had no luck.
>
> dnotify has been succeeded by inotify. check the link below:
>         http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README
>
> ./hareesh
>

Re: Looking for a file monitor

[Diego Calleja]

El Fri, 24 Feb 2006 02:06:27 -0600,
Hareesh Nagarajan <hnagar2@gmail.com> escribió:


> dnotify has been succeeded by inotify. check the link below:
> 	http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README

IIRC, inotify is not the best thing for examining system-wide events.
Monitoring of directories is not recursive (neither it should, i think)
so to examine the whole system you would need to need thousands of
watches.

Re: Looking for a file monitor

[Hareesh Nagarajan]

Diego Calleja wrote:
> El Fri, 24 Feb 2006 02:06:27 -0600,
> Hareesh Nagarajan <hnagar2@gmail.com> escribió:
> 
> 
>> dnotify has been succeeded by inotify. check the link below:
>> 	http://www.kernel.org/pub/linux/kernel/people/rml/inotify/README
> 
> IIRC, inotify is not the best thing for examining system-wide events.
> Monitoring of directories is not recursive (neither it should, i think)
> so to examine the whole system you would need to need thousands of
> watches.

Surely.

But if we want to keep a track of all the files that are opened, read, 
written or deleted (much like filemon; ``Filemon's timestamping feature 
will show you precisely when every open, read, write or delete, happens, 
and its status column tells you the outcome."), we can write a simple 
patch that makes a note of these events on the VFS layer, and then we 
could export this information to userspace, via relayfs. It wouldn't be 
too hard to code a relatively efficient implementation.

Hareesh

Re: Looking for a file monitor

[Wei Hu]

Yeah, that's basically what I'm looking for.
So is it correct that I can keep track of all the actions as inotify events?


> But if we want to keep a track of all the files that are opened, read,
> written or deleted (much like filemon; ``Filemon's timestamping feature
> will show you precisely when every open, read, write or delete, happens,
> and its status column tells you the outcome."), we can write a simple
> patch that makes a note of these events on the VFS layer, and then we
> could export this information to userspace, via relayfs. It wouldn't be
> too hard to code a relatively efficient implementation.
>
> Hareesh
>

Re: Looking for a file monitor

[Hareesh Nagarajan]

Wei Hu wrote:
> Yeah, that's basically what I'm looking for.
> So is it correct that I can keep track of all the actions as inotify events?

Yes, you can. I just looked at the defn of sys_open and I see that 	
	fsnotify_open(f->f_dentry);
gets called, which internally calls:
	inotify_dentry_parent_queue_event(...) and,
	inotify_inode_queue_event(...)

Do check out inotify. The same applies to other generic operations on 
the VFS layer.

Hareesh

Re: Looking for a file monitor

[Wei Hu]

>
> It looks to me like you could use an LD_PRELOAD'ed library to monitor
> such events?

That's a good idea.
Is there an existing tool, or do I need to write a system call wrapper?

>
> Alternatively, consider something like the honeynet monitoring kernel
> monitor module, perhaps.

Could you give more information here?
I'm not familiar with honeynet, thanks.

>
> Rogan
>

Re: Looking for a file monitor

[Chuck Ebbert]

In-Reply-To: <43FF3C1C.5040200@gmail.com>

On Fri, 24 Feb 2006 at 11:02:20 -0600, Hareesh Nagarajan wrote:

> But if we want to keep a track of all the files that are opened, read, 
> written or deleted (much like filemon; ``Filemon's timestamping feature 
> will show you precisely when every open, read, write or delete, happens, 
> and its status column tells you the outcome."), we can write a simple 
> patch that makes a note of these events on the VFS layer, and then we 
> could export this information to userspace, via relayfs. It wouldn't be 
> too hard to code a relatively efficient implementation.

 Doesn't auditing do all this?

 I have Fedora Core 4 installed and it comes with the 'audit' RPM.

-- 
Chuck
"Equations are the Devil's sentences."  --Stephen Colbert

Re: Looking for a file monitor

[Hareesh Nagarajan]

Chuck Ebbert wrote:
> In-Reply-To: <43FF3C1C.5040200@gmail.com>
> 
> On Fri, 24 Feb 2006 at 11:02:20 -0600, Hareesh Nagarajan wrote:
> 
>> But if we want to keep a track of all the files that are opened, read, 
>> written or deleted (much like filemon; ``Filemon's timestamping feature 
>> will show you precisely when every open, read, write or delete, happens, 
>> and its status column tells you the outcome."), we can write a simple 
>> patch that makes a note of these events on the VFS layer, and then we 
>> could export this information to userspace, via relayfs. It wouldn't be 
>> too hard to code a relatively efficient implementation.
> 
>  Doesn't auditing do all this?

I have no idea about auditing, but I would guess it internally uses inotify.

Hareesh

Re: Looking for a file monitor

[Arjan van de Ven]

On Fri, 2006-02-24 at 22:01 -0600, Hareesh Nagarajan wrote:
> Chuck Ebbert wrote:
> > In-Reply-To: <43FF3C1C.5040200@gmail.com>
> > 
> > On Fri, 24 Feb 2006 at 11:02:20 -0600, Hareesh Nagarajan wrote:
> > 
> >> But if we want to keep a track of all the files that are opened, read, 
> >> written or deleted (much like filemon; ``Filemon's timestamping feature 
> >> will show you precisely when every open, read, write or delete, happens, 
> >> and its status column tells you the outcome."), we can write a simple 
> >> patch that makes a note of these events on the VFS layer, and then we 
> >> could export this information to userspace, via relayfs. It wouldn't be 
> >> too hard to code a relatively efficient implementation.
> > 
> >  Doesn't auditing do all this?
> 
> I have no idea about auditing, but I would guess it internally uses inotify.


it doesn't; it uses the audit framework which, by the way, exactly does
what the proposed patch above would do :)