Re: real-time file monitoring at the kernel level
you might check out fam and imon (fam is userspace, imon is a kernel patch). Both are open source SGI tools, imon is the inode monitor. Both can be found at http://oss.sgi.com >Hello, > >I was wondering if anyone has a patch, or is working on something for what >im looking for, or if they are interested in an idea i have (forgive me if >this is someone elses idea, ill give credit to them), for file monitoring >at the kernel level. >I have put up a brief explanation of what im looking for at >http://flog.uncontrolled.org/, but in a nutshell, it is this: > >a kernel patch (or module) that would allow me to have, say, /proc/flog, >which shows real-time file monitoring information, which could be tail >-f'd like so: > >root@server~# tail -f /proc/flog >modify: root "/var/log/auth.log" 2410150229 >access: root "/etc/passwd" 2410150324 >modify: root "/etc/passwd" 2410150441 >remove: root "/var/log/auth.log" 2410150502 >create: root "/usr/bin/.. /" 2410150534 >create: root "/usr/bin/.. /backdoor" 2410150627 >modify: bob "/home/bob/mailbox" 2410150854 >modify: root "/var/www/htdocs/index.html" 2410150927 > >the above would describe a theoretical breakin from a hacker, which i >believe would be extremely useful in intrusion detection. My idea of this >is further outlined at http://flog.uncontrolled.org/, including >theoretical usage, practice, description, etc. >The reason i ask the linux-kernel community is my coding ability does not >allow me to hack at the kernel, and so i would need help with this, or any >other information that would point me in the right direction that im >looking for. > >If someone is interested in this, or has any information whatsoever, >please let me know! > >thanks, >[EMAIL PROTECTED] > >PS: im not looking for LIDS > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: real-time file monitoring at the kernel level
You may want to take a look at the Linux Trace Toolkit which may be used to do what you ask for. http://www.opersys.com/LTT Karim Ben Breuninger wrote: > > Hello, > > I was wondering if anyone has a patch, or is working on something for what > im looking for, or if they are interested in an idea i have (forgive me if > this is someone elses idea, ill give credit to them), for file monitoring > at the kernel level. > I have put up a brief explanation of what im looking for at > http://flog.uncontrolled.org/, but in a nutshell, it is this: > > a kernel patch (or module) that would allow me to have, say, /proc/flog, > which shows real-time file monitoring information, which could be tail > -f'd like so: > > root@server~# tail -f /proc/flog > modify: root "/var/log/auth.log" 2410150229 > access: root "/etc/passwd" 2410150324 > modify: root "/etc/passwd" 2410150441 > remove: root "/var/log/auth.log" 2410150502 > create: root "/usr/bin/.. /" 2410150534 > create: root "/usr/bin/.. /backdoor" 2410150627 > modify: bob "/home/bob/mailbox" 2410150854 > modify: root "/var/www/htdocs/index.html" 2410150927 > > the above would describe a theoretical breakin from a hacker, which i > believe would be extremely useful in intrusion detection. My idea of this > is further outlined at http://flog.uncontrolled.org/, including > theoretical usage, practice, description, etc. > The reason i ask the linux-kernel community is my coding ability does not > allow me to hack at the kernel, and so i would need help with this, or any > other information that would point me in the right direction that im > looking for. > > If someone is interested in this, or has any information whatsoever, > please let me know! > > thanks, > [EMAIL PROTECTED] > > PS: im not looking for LIDS > > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- === Karim Yaghmour [EMAIL PROTECTED] Embedded and Real-Time Linux Expert === - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: real-time file monitoring at the kernel level
You may want to take a look at the Linux Trace Toolkit which may be used to do what you ask for. http://www.opersys.com/LTT Karim Ben Breuninger wrote: Hello, I was wondering if anyone has a patch, or is working on something for what im looking for, or if they are interested in an idea i have (forgive me if this is someone elses idea, ill give credit to them), for file monitoring at the kernel level. I have put up a brief explanation of what im looking for at http://flog.uncontrolled.org/, but in a nutshell, it is this: a kernel patch (or module) that would allow me to have, say, /proc/flog, which shows real-time file monitoring information, which could be tail -f'd like so: root@server~# tail -f /proc/flog modify: root "/var/log/auth.log" 2410150229 access: root "/etc/passwd" 2410150324 modify: root "/etc/passwd" 2410150441 remove: root "/var/log/auth.log" 2410150502 create: root "/usr/bin/.. /" 2410150534 create: root "/usr/bin/.. /backdoor" 2410150627 modify: bob "/home/bob/mailbox" 2410150854 modify: root "/var/www/htdocs/index.html" 2410150927 the above would describe a theoretical breakin from a hacker, which i believe would be extremely useful in intrusion detection. My idea of this is further outlined at http://flog.uncontrolled.org/, including theoretical usage, practice, description, etc. The reason i ask the linux-kernel community is my coding ability does not allow me to hack at the kernel, and so i would need help with this, or any other information that would point me in the right direction that im looking for. If someone is interested in this, or has any information whatsoever, please let me know! thanks, [EMAIL PROTECTED] PS: im not looking for LIDS - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ -- === Karim Yaghmour [EMAIL PROTECTED] Embedded and Real-Time Linux Expert === - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: real-time file monitoring at the kernel level
you might check out fam and imon (fam is userspace, imon is a kernel patch). Both are open source SGI tools, imon is the inode monitor. Both can be found at http://oss.sgi.com Hello, I was wondering if anyone has a patch, or is working on something for what im looking for, or if they are interested in an idea i have (forgive me if this is someone elses idea, ill give credit to them), for file monitoring at the kernel level. I have put up a brief explanation of what im looking for at http://flog.uncontrolled.org/, but in a nutshell, it is this: a kernel patch (or module) that would allow me to have, say, /proc/flog, which shows real-time file monitoring information, which could be tail -f'd like so: root@server~# tail -f /proc/flog modify: root "/var/log/auth.log" 2410150229 access: root "/etc/passwd" 2410150324 modify: root "/etc/passwd" 2410150441 remove: root "/var/log/auth.log" 2410150502 create: root "/usr/bin/.. /" 2410150534 create: root "/usr/bin/.. /backdoor" 2410150627 modify: bob "/home/bob/mailbox" 2410150854 modify: root "/var/www/htdocs/index.html" 2410150927 the above would describe a theoretical breakin from a hacker, which i believe would be extremely useful in intrusion detection. My idea of this is further outlined at http://flog.uncontrolled.org/, including theoretical usage, practice, description, etc. The reason i ask the linux-kernel community is my coding ability does not allow me to hack at the kernel, and so i would need help with this, or any other information that would point me in the right direction that im looking for. If someone is interested in this, or has any information whatsoever, please let me know! thanks, [EMAIL PROTECTED] PS: im not looking for LIDS - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: real-time file monitoring at the kernel level
I have never tried it myself but it looks like it might do what you want: http://oss.sgi.com/projects/fam/ fam and imon FAQ === What is fam? fam, the File Alteration Monitor, provides an API which applications can use to be notified when specific files or directories are changed. fam comes in two parts: fam, the daemon which listens for requests and delivers notification, and libfam, a library which client applications can use to communicate with fam. If the monitored files are mounted from a remote host, the local fam will attempt to contact fam on the remote host, and will pass the requests on to the remote fam. fam can also notify its clients when a file starts and stops execution. (The IRIX Interactive Desktop uses this to change a program's icon while it's running, for example.) fam was originally written for IRIX in 1989 by Bruce Karsh, and was rewritten in 1995 by Bob Miller. This open-source release of fam builds and runs on both Linux and IRIX, and is the same fam that will be included with IRIX 6.5.8. What is imon? imon, the Inode Monitor, is the part of the kernel that tells fam when files have changed. When applications tell fam they're interested in files or directories, fam passes that interest on to imon. When file operations are performed on files monitored by imon, the kernel tells imon; imon tells fam, and fam notifies the applications which are interested in the files. imon was originally written for the IRIX kernel in 1989 by Wiltse Carpenter; the Linux port was done by Roger Chickering. The Linux implementation in the imon kernel patch is similar to the IRIX implementation in most ways, but it hooks into the kernel filesystem code differently. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
real-time file monitoring at the kernel level
Hello, I was wondering if anyone has a patch, or is working on something for what im looking for, or if they are interested in an idea i have (forgive me if this is someone elses idea, ill give credit to them), for file monitoring at the kernel level. I have put up a brief explanation of what im looking for at http://flog.uncontrolled.org/, but in a nutshell, it is this: a kernel patch (or module) that would allow me to have, say, /proc/flog, which shows real-time file monitoring information, which could be tail -f'd like so: root@server~# tail -f /proc/flog modify: root "/var/log/auth.log" 2410150229 access: root "/etc/passwd" 2410150324 modify: root "/etc/passwd" 2410150441 remove: root "/var/log/auth.log" 2410150502 create: root "/usr/bin/.. /" 2410150534 create: root "/usr/bin/.. /backdoor" 2410150627 modify: bob "/home/bob/mailbox" 2410150854 modify: root "/var/www/htdocs/index.html" 2410150927 the above would describe a theoretical breakin from a hacker, which i believe would be extremely useful in intrusion detection. My idea of this is further outlined at http://flog.uncontrolled.org/, including theoretical usage, practice, description, etc. The reason i ask the linux-kernel community is my coding ability does not allow me to hack at the kernel, and so i would need help with this, or any other information that would point me in the right direction that im looking for. If someone is interested in this, or has any information whatsoever, please let me know! thanks, [EMAIL PROTECTED] PS: im not looking for LIDS - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
real-time file monitoring at the kernel level
Hello, I was wondering if anyone has a patch, or is working on something for what im looking for, or if they are interested in an idea i have (forgive me if this is someone elses idea, ill give credit to them), for file monitoring at the kernel level. I have put up a brief explanation of what im looking for at http://flog.uncontrolled.org/, but in a nutshell, it is this: a kernel patch (or module) that would allow me to have, say, /proc/flog, which shows real-time file monitoring information, which could be tail -f'd like so: root@server~# tail -f /proc/flog modify: root "/var/log/auth.log" 2410150229 access: root "/etc/passwd" 2410150324 modify: root "/etc/passwd" 2410150441 remove: root "/var/log/auth.log" 2410150502 create: root "/usr/bin/.. /" 2410150534 create: root "/usr/bin/.. /backdoor" 2410150627 modify: bob "/home/bob/mailbox" 2410150854 modify: root "/var/www/htdocs/index.html" 2410150927 the above would describe a theoretical breakin from a hacker, which i believe would be extremely useful in intrusion detection. My idea of this is further outlined at http://flog.uncontrolled.org/, including theoretical usage, practice, description, etc. The reason i ask the linux-kernel community is my coding ability does not allow me to hack at the kernel, and so i would need help with this, or any other information that would point me in the right direction that im looking for. If someone is interested in this, or has any information whatsoever, please let me know! thanks, [EMAIL PROTECTED] PS: im not looking for LIDS - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: real-time file monitoring at the kernel level
I have never tried it myself but it looks like it might do what you want: http://oss.sgi.com/projects/fam/ fam and imon FAQ === What is fam? fam, the File Alteration Monitor, provides an API which applications can use to be notified when specific files or directories are changed. fam comes in two parts: fam, the daemon which listens for requests and delivers notification, and libfam, a library which client applications can use to communicate with fam. If the monitored files are mounted from a remote host, the local fam will attempt to contact fam on the remote host, and will pass the requests on to the remote fam. fam can also notify its clients when a file starts and stops execution. (The IRIX Interactive Desktop uses this to change a program's icon while it's running, for example.) fam was originally written for IRIX in 1989 by Bruce Karsh, and was rewritten in 1995 by Bob Miller. This open-source release of fam builds and runs on both Linux and IRIX, and is the same fam that will be included with IRIX 6.5.8. What is imon? imon, the Inode Monitor, is the part of the kernel that tells fam when files have changed. When applications tell fam they're interested in files or directories, fam passes that interest on to imon. When file operations are performed on files monitored by imon, the kernel tells imon; imon tells fam, and fam notifies the applications which are interested in the files. imon was originally written for the IRIX kernel in 1989 by Wiltse Carpenter; the Linux port was done by Roger Chickering. The Linux implementation in the imon kernel patch is similar to the IRIX implementation in most ways, but it hooks into the kernel filesystem code differently. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/