Question: tracking filesystem changes?

Robert Watson rwatson at
Fri Feb 4 03:35:31 PST 2005

On Wed, 2 Feb 2005, Deomid Ryabkov wrote:

> No, won't do the trick either.  I cannot afford setting up watchdogs for
> every file or even every directory.  And I'm essentially "interested" in
> every one of them (for mirroring purposes).  A more general approach is
> needed.  E.g., if an unlink call is issued and an inode is within a
> particular filesystem (luckily, most of our data already lives on or can
> be easily moved to a separate filesystem), a notice is sent to some
> userland daemon:  "file /www/xxx/yyy.shtml is unlinked". Or opened for
> writing, or renamed... etc.  The file is then scheduled for distribution
> to mirrors.  The idea seems simple and straightforward, yet I don't know
> if it is achievable. 
> The essential part is obtaining the full pathname of the file (won't
> bother with hardlinks at first, they aren't used here).  Could that be
> done with the FreeBSD's filesystem (vnode/vfs?) code? (which I'm not
> familiar with) 

The TrustedBSD Audit code should be able to fill this need -- the goal of
the Audit code is to be able to track "security critical events" in a
configurable way, so file open/link/symlink/unlink operations are an
important subset of that.  We hope to integrate the Audit code into 6.x in
the next few months, and then (in as much as is possible given kernel ABI
requirements) merge for 5.5.  However, this is some time away still, so
presumably can't help in the short term.  The result, though, is an event
stream file that's mechanically parseable, and the even stream can be
configured to indicate which types of events are important at a fairly
fine granularity.

Robert N M Watson

More information about the freebsd-hackers mailing list