Question: tracking filesystem changes?

[Nick Strebkov]

Hi,

> > No, won't do the trick either.  I cannot afford setting up watchdogs for
> > every file or even every directory.  And I'm essentially "interested" in
> > every one of them (for mirroring purposes).  A more general approach is
> > needed.  E.g., if an unlink call is issued and an inode is within a
> > particular filesystem (luckily, most of our data already lives on or can
> > be easily moved to a separate filesystem), a notice is sent to some
> > userland daemon:  "file /www/xxx/yyy.shtml is unlinked". Or opened for
> > writing, or renamed... etc.  The file is then scheduled for distribution
> > to mirrors.  The idea seems simple and straightforward, yet I don't know
> > if it is achievable. 
> > 
> > The essential part is obtaining the full pathname of the file (won't
> > bother with hardlinks at first, they aren't used here).  Could that be
> > done with the FreeBSD's filesystem (vnode/vfs?) code? (which I'm not
> > familiar with) 
> 
> The TrustedBSD Audit code should be able to fill this need -- the goal of
> the Audit code is to be able to track "security critical events" in a
> configurable way, so file open/link/symlink/unlink operations are an
> important subset of that.  We hope to integrate the Audit code into 6.x in
> the next few months, and then (in as much as is possible given kernel ABI
> requirements) merge for 5.5.  However, this is some time away still, so
> presumably can't help in the short term.  The result, though, is an event
> stream file that's mechanically parseable, and the even stream can be
> configured to indicate which types of events are important at a fairly
> fine granularity.

Sounds great. But i have similar tasks (not so huge amount of files)
and i'd prefer to extend kqueue/kevent with EVFILT_INODE filter to have
ability to monitor changes in file without opening it.

-- 
Nick Strebkov
Public key: http://humgat.org/~nick/pubkey.txt
fpr: 552C 88D6 895B 6E64 F277 D367 8A70 8132 47F5 C1B6