# Monitoring all filesystem modifications

## thaldyron

29.1.2005 Update: minor bugfix

10.1.2005 Update: now working with 2.6.10 and UDEV

Overview:.

After loading this kernel module you can monitor all file system alterations by simply typing:

```
cat /dev/fsysmon
```

It's original purpose was to feed a daemon with data but nevertheless I found it to be even more useful as a standalone project. 

Download:.

http://www.logic.at/staff/robinson/fsysmon-0.2.tar.gz

Requirements:

- Kernel 2.6 with Enabled Support for Security Modules. The following should be sufficient:

```

CONFIG_SECURITY=y

```

[EDIT]Since someone asked me why this is needed here a short explanation: In 2.4. it was possible to overwrite entries of the syscall table. This is necessary to enable the filesystem monitoring. In 2.6. one has to use the security hooks to get the same functionality because the syscall table is no longer exported.

[/EDIT]

Building:

Note: The default behavour of the module is to monitor all file - adding, moving, removing, renaming operations. If you also want to monitor file content modifications you have to uncomment the following line in fsysmon.c:

```

// #define INODE_ACCESS (optionally) 

```

Building the module:

```

tar zxvf fsysmon-0.1.tar.gz

cd /usr/src/linux

make SUBDIRS=/path_to_archive/fsysmon-0.1/module/ modules

```

Loading:

```

cd /path_to_archive/fsysmon-0.1/module/

su

insmod ./fsysmon.ko

```

Usage:

The module creates a device called /dev/fsysmon. 

In case you are using UDEV you have to create the device yourself:

Find out it's major number:

```
grep fsysmon /proc/devices

253 fsysmon
```

Create the device:

```
mknod /dev/fsysmon c 253 1
```

To monitor the filesystem alterations you can simply type:

```
cat /dev/fsysmon
```

This will output a line everytime something was modified. The first character of the line determines its meaning, the rest consists of the pathname of the corresponding file without the first character (which is '/' anyways).

Semantics of the first character:

a: file was added

r: file was removed

u: file content was updated

Example:

Output Line: ahome/user/fileXY

Meaning: fileXY was just created in directory /home/user

Unloading:

```

su

rmmod fsysmon

```

Caution: It is important to unload the module if you don't read from /dev/fsysmon otherwise the module will eat up all your memory after a while.

If you continuously read from the device you can leave it running as long as you want.

Hope this is helpful!

regardsLast edited by thaldyron on Sat Jan 29, 2005 5:13 pm; edited 6 times in total

----------

## beastmaster2000

This tool seems to make life a lot easier when trying to find out  _why_  my harddisk never switches to standby...   :Smile: 

----------

## GentooBox

that is a damn nice kernel module.

Does it work on all kind of filesystems ?

----------

## thaldyron

 *GentooBox wrote:*   

> that is a damn nice kernel module.
> 
> Does it work on all kind of filesystems ?

 

Thanks!  :Smile: 

If you mean filesystems like reiserfs, ext3 or vfat the answer is yes. 

Everything that depends on the inode system calls is monitored (files, sockets, pipes,...)

----------

## FonderiaDigitale

how this is better than tripwire/afick usage?

----------

## thaldyron

 *FonderiaDigitale wrote:*   

> how this is better than tripwire/afick usage?

 

I'm not very familiar with tripwire and therefore don't know if tripwire makes it that easy to monitor filesystem alterations by simply parsing the output of a device. 

However, I think my kernel module is some sort of a lightweight approach compared to the features of tripwire. AFAIK tripwire is focused on security related issues rather than just producing helpful debug output.

----------

## Mit

now, that sort of thing could be useful to feed into a virus scanner for some form of real time scanning on a desktop linux machine... might have a play with it see if i can come up with anything  :Smile:  as that is the one worry, no specific realtime virus scanner (and as linux popularity increases so will Linux virii/viruses)

----------

## twiggy

 *Mit wrote:*   

> ..no specific realtime virus scanner (and as linux popularity increases so will Linux virii/viruses)

 

If that were really true it would happen NOW!

There's no doubt that there will be alot more security flaws but not real viruses for obvious reasons..

----------

## Mit

 *twiggy wrote:*   

>  *Mit wrote:*   ..no specific realtime virus scanner (and as linux popularity increases so will Linux virii/viruses) 
> 
> If that were really true it would happen NOW!
> 
> There's no doubt that there will be alot more security flaws but not real viruses for obvious reasons..

 

I wouldn't like to bet on that, problem being even thou Linux is inherantly far more secure when it comes to users and access etc, when more people start using it, the 'untrained' ones will start using root to do normal things, just like Windows and Administrator (yes, i've seen people use administrator to surf the net etc on a server)

Anyway, a realtime virus scanner can't do any harm for linux to have one (or many) - maybe i've just not come across one that doesn't have a stupidly large price tag next to it yet... perhaps it does exist  :Smile: 

Hey, why not more options.. after all, thats what Linux is about - options  :Very Happy: 

----------

## twiggy

As i said before there will be alot more security issues in the future but you know viruses does NOT feed on popularity! We won't see the same thing that is happening with windows unless everyone starts running everything as root   :Smile: 

----------

## GentooBox

 *twiggy wrote:*   

> As i said before there will be alot more security issues in the future but you know viruses does NOT feed on popularity! We won't see the same thing that is happening with windows unless everyone starts running everything as root  

 

Im running everything as root.  :Wink: 

Its nice to have the kernel module as a extra kernel feature.

i made a script that checks if something is getting written to my binary files or some of them is changed.

I case some guy want to install a backdoor on my box.

----------

## mirko_3

doesn't compile on 2.6.9-rc1...

```

mirko3 linux # make SUBDIRS=/root/fsysmon-0.1/module/ modules

  CC [M]  /root/fsysmon-0.1/module/fsysmon.o

/root/fsysmon-0.1/module/fsysmon.c: In function `fsysmon_inode_create':

/root/fsysmon-0.1/module/fsysmon.c:80: sorry, unimplemented: inlining failed in call to 'filenames_entry': function body not available

/root/fsysmon-0.1/module/fsysmon.c:201: sorry, unimplemented: called from here

make[1]: *** [/root/fsysmon-0.1/module/fsysmon.o] Error 1

make: *** [_module_/root/fsysmon-0.1/module] Error 2

```

any clue, anyone?

----------

## codergeek42

 *mirko_3 wrote:*   

> doesn't compile on 2.6.9-rc1...
> 
> ```
> 
> mirko3 linux # make SUBDIRS=/root/fsysmon-0.1/module/ modules
> ...

 This initially happened to me to (not for this specific module(s) though). Are you using GCC 3.4 ?

----------

## mirko_3

sorry for the delay in replying, but I wasn't at home...

yes, I'm using gcc 3.4...  does that mean I have to use 3.3.x?

----------

## mirko_3

Ok, gcc-config to switch gcc version and fsysmon compiled. I even was able to force it to load (because of different gcc versions I use to compile the module and the kernel, I had to force it). But it doesn't work; from dmesg:

```

fsysmon security module removed

fsysmon: no version magic, tainting kernel.

Module fsysmon init

There is already a security framework initialized, register_security failed.

Failure registering fsysmon module with the kernel

Failure registering fsysmon  module with primary security module.

fsysmon initialized as a security module.

```

and when I remove it:

```
Module fsysmon exit

Failure unregistering fsysmon security module with primary module.

fsysmon security module removed

```

Any solution?

----------

## thaldyron

Hi all!

I've updated the code to work with the later 2.6.x releases. In case you are using udev you have to create the device yourself as described in the readme!

Regards

----------

## mirko_3

Why thanks, I'll try it as soon as I have time!

----------

## mirko_3

I've just downloaded it, but it does not compile:

```

mirko_3 linux # make SUBDIRS=/root/fsysmon-0.2/module/ modules

  CC [M]  /root/fsysmon-0.2/module/fsysmon.o

/root/fsysmon-0.2/module/fsysmon.c: In function `fsysmon_inode_create':

/root/fsysmon-0.2/module/fsysmon.c:81: sorry, unimplemented: inlining failed in call to 'filenames_entry': function body not available

/root/fsysmon-0.2/module/fsysmon.c:202: sorry, unimplemented: called from here

make[1]: *** [/root/fsysmon-0.2/module/fsysmon.o] Error 1

make: *** [_module_/root/fsysmon-0.2/module] Error 2

```

gcc version 3.4.3 20050110, CONFIG_SECURITY=y. I've no idea about what I might try to make it work....

----------

## thaldyron

 *mirko_3 wrote:*   

> 
> 
> gcc version 3.4.3 20050110, CONFIG_SECURITY=y. I've no idea about what I might try to make it work....

 

This is realy strange. What kernel are you using? I just tried it again myself and it worked. I'm using gcc (GCC) 3.4.3 20041125 and development-sources-2.6.10-r1. You could PM me your kernel .config then I will try to figure out if it's a kernel issue or not.

----------

## mirko_3

done, I sent you a pm

----------

## BlackB1rd

I really do like this module  :Smile:  Just wondering if it could be enhanced by printing the current date/time before each file it reports? Don't know anything about C, cannot do it myself  :Wink: 

----------

## thaldyron

 *BlackB1rd wrote:*   

> I really do like this module  

 

I'm glad it's useful.   :Very Happy: 

 *BlackB1rd wrote:*   

> 
> 
> Just wondering if it could be enhanced by printing the current date/time before each file it reports? 

 

This definitely can be done but is this module still needed? 

Isn't there meanwhile a mechanism in the kernel (inotify?) that enables filesystem monitoring? (I'm not really up to date on the matter...)

Originally (in 2003) the module was part of an always up to date Desktop Search System which consisted of a small Haskell program that updated a database on file modifications.

Not sure how current systems work: are the always up to date or do you have to update the index after a while like locate?

----------

## stef

hm, yes sounds interesting, as i was searching for something like that: https://forums.gentoo.org/viewtopic-t-435829-highlight-.html

anyone ideas if there's already something (using inotify?)

----------

## thaldyron

 *stef wrote:*   

> hm, yes sounds interesting, as i was searching for something like that: https://forums.gentoo.org/viewtopic-t-435829-highlight-.html
> 
> anyone ideas if there's already something (using inotify?)

 

That's the question. I'm wondering if maintaining my tool is still necessary or if I would waste my time doing so. Referring to your original question in the thread above, this should be possible with my module by adding a few lines of code.

----------

## Simba

Just for information, there is a new tool to monitor filesystem in realtime based on inotify:

http://sourceforge.net/projects/iwatch

Simba

----------

## predatorfreak

Shouldn't the file be in /proc and NOT /dev? It's technically not a device node, so the data should be dumped into something in /proc or /sys (I'd say /proc is the better choice, since /sys is more hardware-related information).

----------

