| View previous topic :: View next topic |
| Author |
Message |
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
 Posted: Wed Jul 28, 2004 1:10 pm Post subject: Monitoring all filesystem modifications |
 |
|
29.1.2005 Update: minor bugfix
10.1.2005 Update: now working with 2.6.10 and UDEV
Overview:.
After loading this kernel module you can monitor all file system alterations by simply typing:
It's original purpose was to feed a daemon with data but nevertheless I found it to be even more useful as a standalone project.
Download:.
http://www.logic.at/staff/robinson/fsysmon-0.2.tar.gz
Requirements:
- Kernel 2.6 with Enabled Support for Security Modules. The following should be sufficient:
[EDIT]Since someone asked me why this is needed here a short explanation: In 2.4. it was possible to overwrite entries of the syscall table. This is necessary to enable the filesystem monitoring. In 2.6. one has to use the security hooks to get the same functionality because the syscall table is no longer exported.
[/EDIT]
Building:
Note: The default behavour of the module is to monitor all file - adding, moving, removing, renaming operations. If you also want to monitor file content modifications you have to uncomment the following line in fsysmon.c:
| Code: |
// #define INODE_ACCESS (optionally)
|
Building the module:
| Code: |
tar zxvf fsysmon-0.1.tar.gz
cd /usr/src/linux
make SUBDIRS=/path_to_archive/fsysmon-0.1/module/ modules
|
Loading:
| Code: |
cd /path_to_archive/fsysmon-0.1/module/
su
insmod ./fsysmon.ko
|
Usage:
The module creates a device called /dev/fsysmon.
In case you are using UDEV you have to create the device yourself:
Find out it's major number:
| Code: | grep fsysmon /proc/devices
253 fsysmon |
Create the device:
| Code: | | mknod /dev/fsysmon c 253 1 |
To monitor the filesystem alterations you can simply type:
This will output a line everytime something was modified. The first character of the line determines its meaning, the rest consists of the pathname of the corresponding file without the first character (which is '/' anyways).
Semantics of the first character:
a: file was added
r: file was removed
u: file content was updated
Example:
Output Line: ahome/user/fileXY
Meaning: fileXY was just created in directory /home/user
Unloading:
Caution: It is important to unload the module if you don't read from /dev/fsysmon otherwise the module will eat up all your memory after a while.
If you continuously read from the device you can leave it running as long as you want.
Hope this is helpful!
regards
Last edited by thaldyron on Sat Jan 29, 2005 5:13 pm; edited 6 times in total |
|
| Back to top |
|
 |
beastmaster2000
n00b
Joined: 29 Jul 2004
Posts: 1
|
| Posted: Thu Jul 29, 2004 7:31 am Post subject: |
|
|
This tool seems to make life a lot easier when trying to find out _why_ my harddisk never switches to standby...  |
|
| Back to top |
|
|
GentooBox
Veteran
Joined: 22 Jun 2003
Posts: 1168
Location: Denmark
|
| Posted: Thu Jul 29, 2004 12:46 pm Post subject: |
|
|
that is a damn nice kernel module.
Does it work on all kind of filesystems ?
_________________
Encrypt, lock up everything and duct tape the rest |
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Thu Jul 29, 2004 2:16 pm Post subject: |
|
|
| GentooBox wrote: | that is a damn nice kernel module.
Does it work on all kind of filesystems ? |
Thanks!
If you mean filesystems like reiserfs, ext3 or vfat the answer is yes.
Everything that depends on the inode system calls is monitored (files, sockets, pipes,...) |
|
| Back to top |
|
|
FonderiaDigitale
Veteran
Joined: 06 Nov 2003
Posts: 1710
Location: Rome, Italy
|
| Posted: Sat Jul 31, 2004 2:07 am Post subject: |
|
|
how this is better than tripwire/afick usage?
_________________
Come disse un amico, i sistemisti sono un po' come gli artigiani per l'informatica
|
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Sat Jul 31, 2004 4:25 pm Post subject: |
|
|
| FonderiaDigitale wrote: | | how this is better than tripwire/afick usage? |
I'm not very familiar with tripwire and therefore don't know if tripwire makes it that easy to monitor filesystem alterations by simply parsing the output of a device.
However, I think my kernel module is some sort of a lightweight approach compared to the features of tripwire. AFAIK tripwire is focused on security related issues rather than just producing helpful debug output. |
|
| Back to top |
|
|
Mit
Apprentice
Joined: 13 Apr 2003
Posts: 260
Location: Under a rock.
|
| Posted: Sat Jul 31, 2004 6:08 pm Post subject: |
|
|
| now, that sort of thing could be useful to feed into a virus scanner for some form of real time scanning on a desktop linux machine... might have a play with it see if i can come up with anything as that is the one worry, no specific realtime virus scanner (and as linux popularity increases so will Linux virii/viruses) |
|
| Back to top |
|
|
twiggy
n00b
Joined: 25 Nov 2003
Posts: 65
Location: Sweden
|
| Posted: Sun Aug 01, 2004 12:08 am Post subject: |
|
|
| Mit wrote: | | ..no specific realtime virus scanner (and as linux popularity increases so will Linux virii/viruses) |
If that were really true it would happen NOW!
There's no doubt that there will be alot more security flaws but not real viruses for obvious reasons..
_________________
Bite my shiny metal ass! |
|
| Back to top |
|
|
Mit
Apprentice
Joined: 13 Apr 2003
Posts: 260
Location: Under a rock.
|
| Posted: Sun Aug 01, 2004 7:40 am Post subject: |
|
|
| twiggy wrote: | | Mit wrote: | | ..no specific realtime virus scanner (and as linux popularity increases so will Linux virii/viruses) |
If that were really true it would happen NOW!
There's no doubt that there will be alot more security flaws but not real viruses for obvious reasons.. |
I wouldn't like to bet on that, problem being even thou Linux is inherantly far more secure when it comes to users and access etc, when more people start using it, the 'untrained' ones will start using root to do normal things, just like Windows and Administrator (yes, i've seen people use administrator to surf the net etc on a server)
Anyway, a realtime virus scanner can't do any harm for linux to have one (or many) - maybe i've just not come across one that doesn't have a stupidly large price tag next to it yet... perhaps it does exist
Hey, why not more options.. after all, thats what Linux is about - options  |
|
| Back to top |
|
|
twiggy
n00b
Joined: 25 Nov 2003
Posts: 65
Location: Sweden
|
| Posted: Sun Aug 01, 2004 2:55 pm Post subject: |
|
|
As i said before there will be alot more security issues in the future but you know viruses does NOT feed on popularity! We won't see the same thing that is happening with windows unless everyone starts running everything as root
_________________
Bite my shiny metal ass! |
|
| Back to top |
|
|
GentooBox
Veteran
Joined: 22 Jun 2003
Posts: 1168
Location: Denmark
|
| Posted: Sun Aug 01, 2004 5:27 pm Post subject: |
|
|
| twiggy wrote: | | As i said before there will be alot more security issues in the future but you know viruses does NOT feed on popularity! We won't see the same thing that is happening with windows unless everyone starts running everything as root |
Im running everything as root. 
Its nice to have the kernel module as a extra kernel feature.
i made a script that checks if something is getting written to my binary files or some of them is changed.
I case some guy want to install a backdoor on my box.
_________________
Encrypt, lock up everything and duct tape the rest |
|
| Back to top |
|
|
mirko_3
l33t
Joined: 02 Nov 2003
Posts: 605
Location: Birreria
|
| Posted: Tue Sep 07, 2004 8:28 pm Post subject: |
|
|
doesn't compile on 2.6.9-rc1...
| Code: |
mirko3 linux # make SUBDIRS=/root/fsysmon-0.1/module/ modules
CC [M] /root/fsysmon-0.1/module/fsysmon.o
/root/fsysmon-0.1/module/fsysmon.c: In function `fsysmon_inode_create':
/root/fsysmon-0.1/module/fsysmon.c:80: sorry, unimplemented: inlining failed in call to 'filenames_entry': function body not available
/root/fsysmon-0.1/module/fsysmon.c:201: sorry, unimplemented: called from here
make[1]: *** [/root/fsysmon-0.1/module/fsysmon.o] Error 1
make: *** [_module_/root/fsysmon-0.1/module] Error 2
|
any clue, anyone?
_________________
Non fa male! Non fa male! |
|
| Back to top |
|
|
codergeek42
Bodhisattva
Joined: 05 Apr 2004
Posts: 5142
Location: Anaheim, CA (USA)
|
| Posted: Wed Sep 08, 2004 9:12 pm Post subject: |
|
|
| mirko_3 wrote: | doesn't compile on 2.6.9-rc1...
| Code: |
mirko3 linux # make SUBDIRS=/root/fsysmon-0.1/module/ modules
CC [M] /root/fsysmon-0.1/module/fsysmon.o
/root/fsysmon-0.1/module/fsysmon.c: In function `fsysmon_inode_create':
/root/fsysmon-0.1/module/fsysmon.c:80: sorry, unimplemented: inlining failed in call to 'filenames_entry': function body not available
/root/fsysmon-0.1/module/fsysmon.c:201: sorry, unimplemented: called from here
make[1]: *** [/root/fsysmon-0.1/module/fsysmon.o] Error 1
make: *** [_module_/root/fsysmon-0.1/module] Error 2
|
any clue, anyone? |
This initially happened to me to (not for this specific module(s) though). Are you using GCC 3.4 ?
_________________
~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
| Back to top |
|
|
mirko_3
l33t
Joined: 02 Nov 2003
Posts: 605
Location: Birreria
|
| Posted: Mon Sep 13, 2004 1:37 pm Post subject: |
|
|
sorry for the delay in replying, but I wasn't at home...
yes, I'm using gcc 3.4... does that mean I have to use 3.3.x?
_________________
Non fa male! Non fa male! |
|
| Back to top |
|
|
mirko_3
l33t
Joined: 02 Nov 2003
Posts: 605
Location: Birreria
|
| Posted: Thu Sep 16, 2004 9:28 pm Post subject: |
|
|
Ok, gcc-config to switch gcc version and fsysmon compiled. I even was able to force it to load (because of different gcc versions I use to compile the module and the kernel, I had to force it). But it doesn't work; from dmesg:
| Code: |
fsysmon security module removed
fsysmon: no version magic, tainting kernel.
Module fsysmon init
There is already a security framework initialized, register_security failed.
Failure registering fsysmon module with the kernel
Failure registering fsysmon module with primary security module.
fsysmon initialized as a security module.
|
and when I remove it:
| Code: | Module fsysmon exit
Failure unregistering fsysmon security module with primary module.
fsysmon security module removed
|
Any solution?
_________________
Non fa male! Non fa male! |
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Mon Jan 17, 2005 3:23 pm Post subject: |
|
|
Hi all!
I've updated the code to work with the later 2.6.x releases. In case you are using udev you have to create the device yourself as described in the readme!
Regards |
|
| Back to top |
|
|
mirko_3
l33t
Joined: 02 Nov 2003
Posts: 605
Location: Birreria
|
| Posted: Mon Jan 17, 2005 4:51 pm Post subject: |
|
|
Why thanks, I'll try it as soon as I have time!
_________________
Non fa male! Non fa male! |
|
| Back to top |
|
|
mirko_3
l33t
Joined: 02 Nov 2003
Posts: 605
Location: Birreria
|
| Posted: Sat Jan 22, 2005 7:33 pm Post subject: |
|
|
I've just downloaded it, but it does not compile:
| Code: |
mirko_3 linux # make SUBDIRS=/root/fsysmon-0.2/module/ modules
CC [M] /root/fsysmon-0.2/module/fsysmon.o
/root/fsysmon-0.2/module/fsysmon.c: In function `fsysmon_inode_create':
/root/fsysmon-0.2/module/fsysmon.c:81: sorry, unimplemented: inlining failed in call to 'filenames_entry': function body not available
/root/fsysmon-0.2/module/fsysmon.c:202: sorry, unimplemented: called from here
make[1]: *** [/root/fsysmon-0.2/module/fsysmon.o] Error 1
make: *** [_module_/root/fsysmon-0.2/module] Error 2
|
gcc version 3.4.3 20050110, CONFIG_SECURITY=y. I've no idea about what I might try to make it work....
_________________
Non fa male! Non fa male! |
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Sat Jan 22, 2005 7:55 pm Post subject: |
|
|
| mirko_3 wrote: |
gcc version 3.4.3 20050110, CONFIG_SECURITY=y. I've no idea about what I might try to make it work.... |
This is realy strange. What kernel are you using? I just tried it again myself and it worked. I'm using gcc (GCC) 3.4.3 20041125 and development-sources-2.6.10-r1. You could PM me your kernel .config then I will try to figure out if it's a kernel issue or not. |
|
| Back to top |
|
|
mirko_3
l33t
Joined: 02 Nov 2003
Posts: 605
Location: Birreria
|
| Posted: Sat Jan 22, 2005 8:51 pm Post subject: |
|
|
done, I sent you a pm
_________________
Non fa male! Non fa male! |
|
| Back to top |
|
|
BlackB1rd
Tux's lil' helper
Joined: 13 Aug 2003
Posts: 131
Location: /Europe/Netherlands/Haarlem
|
| Posted: Sun Feb 12, 2006 3:34 pm Post subject: |
|
|
| I really do like this module Just wondering if it could be enhanced by printing the current date/time before each file it reports? Don't know anything about C, cannot do it myself |
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Mon Feb 13, 2006 10:12 am Post subject: |
|
|
| BlackB1rd wrote: | | I really do like this module |
I'm glad it's useful.
| BlackB1rd wrote: |
Just wondering if it could be enhanced by printing the current date/time before each file it reports? |
This definitely can be done but is this module still needed?
Isn't there meanwhile a mechanism in the kernel (inotify?) that enables filesystem monitoring? (I'm not really up to date on the matter...)
Originally (in 2003) the module was part of an always up to date Desktop Search System which consisted of a small Haskell program that updated a database on file modifications.
Not sure how current systems work: are the always up to date or do you have to update the index after a while like locate? |
|
| Back to top |
|
|
stef
Tux's lil' helper
Joined: 23 Jul 2003
Posts: 93
|
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Sun Apr 09, 2006 8:53 am Post subject: |
|
|
That's the question. I'm wondering if maintaining my tool is still necessary or if I would waste my time doing so. Referring to your original question in the thread above, this should be possible with my module by adding a few lines of code. |
|
| Back to top |
|
|
Simba
n00b
Joined: 08 Nov 2002
Posts: 60
|
| Posted: Tue Aug 15, 2006 7:47 pm Post subject: Realtime filesystem monitoring program |
|
|
Just for information, there is a new tool to monitor filesystem in realtime based on inotify:
http://sourceforge.net/projects/iwatch
Simba |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
