real-time file monitoring at the kernel level

real-time file monitoring at the kernel level

[Ben Breuninger]

Hello,

I was wondering if anyone has a patch, or is working on something for what
im looking for, or if they are interested in an idea i have (forgive me if
this is someone elses idea, ill give credit to them), for file monitoring
at the kernel level.
I have put up a brief explanation of what im looking for at
http://flog.uncontrolled.org/, but in a nutshell, it is this:

a kernel patch (or module) that would allow me to have, say, /proc/flog,
which shows real-time file monitoring information, which could be tail
-f'd like so:

root@server~# tail -f /proc/flog
modify: root "/var/log/auth.log" 20000410150229
access: root "/etc/passwd" 20000410150324
modify: root "/etc/passwd" 20000410150441
remove: root "/var/log/auth.log" 20000410150502
create: root "/usr/bin/.. /" 20000410150534
create: root "/usr/bin/.. /backdoor" 20000410150627
modify: bob "/home/bob/mailbox" 20000410150854
modify: root "/var/www/htdocs/index.html" 20000410150927

the above would describe a theoretical breakin from a hacker, which i
believe would be extremely useful in intrusion detection. My idea of this
is further outlined at http://flog.uncontrolled.org/, including
theoretical usage, practice, description, etc.
The reason i ask the linux-kernel community is my coding ability does not
allow me to hack at the kernel, and so i would need help with this, or any
other information that would point me in the right direction that im
looking for.

If someone is interested in this, or has any information whatsoever,
please let me know!

thanks,
benb@uncontrolled.org

PS: im not looking for LIDS

Re: real-time file monitoring at the kernel level

[Karim Yaghmour]

You may want to take a look at the Linux Trace Toolkit which may
be used to do what you ask for.

http://www.opersys.com/LTT

Karim

Ben Breuninger wrote:
> 
> Hello,
> 
> I was wondering if anyone has a patch, or is working on something for what
> im looking for, or if they are interested in an idea i have (forgive me if
> this is someone elses idea, ill give credit to them), for file monitoring
> at the kernel level.
> I have put up a brief explanation of what im looking for at
> http://flog.uncontrolled.org/, but in a nutshell, it is this:
> 
> a kernel patch (or module) that would allow me to have, say, /proc/flog,
> which shows real-time file monitoring information, which could be tail
> -f'd like so:
> 
> root@server~# tail -f /proc/flog
> modify: root "/var/log/auth.log" 20000410150229
> access: root "/etc/passwd" 20000410150324
> modify: root "/etc/passwd" 20000410150441
> remove: root "/var/log/auth.log" 20000410150502
> create: root "/usr/bin/.. /" 20000410150534
> create: root "/usr/bin/.. /backdoor" 20000410150627
> modify: bob "/home/bob/mailbox" 20000410150854
> modify: root "/var/www/htdocs/index.html" 20000410150927
> 
> the above would describe a theoretical breakin from a hacker, which i
> believe would be extremely useful in intrusion detection. My idea of this
> is further outlined at http://flog.uncontrolled.org/, including
> theoretical usage, practice, description, etc.
> The reason i ask the linux-kernel community is my coding ability does not
> allow me to hack at the kernel, and so i would need help with this, or any
> other information that would point me in the right direction that im
> looking for.
> 
> If someone is interested in this, or has any information whatsoever,
> please let me know!
> 
> thanks,
> benb@uncontrolled.org
> 
> PS: im not looking for LIDS
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

-- 
===================================================
                 Karim Yaghmour
               karym@opersys.com
      Embedded and Real-Time Linux Expert
===================================================

Re: real-time file monitoring at the kernel level

[Ryan Butler]

you might check out fam and imon (fam is userspace, imon is a kernel patch).

Both are open source SGI tools, imon is the inode monitor.

Both can be found at http://oss.sgi.com


>Hello,
>
>I was wondering if anyone has a patch, or is working on something for what
>im looking for, or if they are interested in an idea i have (forgive me if
>this is someone elses idea, ill give credit to them), for file monitoring
>at the kernel level.
>I have put up a brief explanation of what im looking for at
>http://flog.uncontrolled.org/, but in a nutshell, it is this:
>
>a kernel patch (or module) that would allow me to have, say, /proc/flog,
>which shows real-time file monitoring information, which could be tail
>-f'd like so:
>
>root@server~# tail -f /proc/flog
>modify: root "/var/log/auth.log" 20000410150229
>access: root "/etc/passwd" 20000410150324
>modify: root "/etc/passwd" 20000410150441
>remove: root "/var/log/auth.log" 20000410150502
>create: root "/usr/bin/.. /" 20000410150534
>create: root "/usr/bin/.. /backdoor" 20000410150627
>modify: bob "/home/bob/mailbox" 20000410150854
>modify: root "/var/www/htdocs/index.html" 20000410150927
>
>the above would describe a theoretical breakin from a hacker, which i
>believe would be extremely useful in intrusion detection. My idea of this
>is further outlined at http://flog.uncontrolled.org/, including
>theoretical usage, practice, description, etc.
>The reason i ask the linux-kernel community is my coding ability does not
>allow me to hack at the kernel, and so i would need help with this, or any
>other information that would point me in the right direction that im
>looking for.
>
>If someone is interested in this, or has any information whatsoever,
>please let me know!
>
>thanks,
>benb@uncontrolled.org
>
>PS: im not looking for LIDS
>

Re: real-time file monitoring at the kernel level

[Jon Burgess]

 I have never tried it myself but it looks like it might do what you want:

http://oss.sgi.com/projects/fam/

fam and imon FAQ
===============

What is fam?
fam, the File Alteration Monitor, provides an API which applications can use to
be notified when specific files or directories are changed.

fam comes in two parts: fam, the daemon which listens for requests and delivers
notification, and libfam, a library which client applications can use to
communicate with fam.

If the monitored files are mounted from a remote host, the local fam will
attempt to contact fam on the remote host, and will pass the requests on to the
remote fam.

fam can also notify its clients when a file starts and stops execution. (The
IRIX Interactive Desktop uses this to change a program's icon while it's
running, for example.)

fam was originally written for IRIX in 1989 by Bruce Karsh, and was rewritten in
1995 by Bob Miller. This open-source release of fam builds and runs on both
Linux and IRIX, and is the same fam that will be included with IRIX 6.5.8.

What is imon?
imon, the Inode Monitor, is the part of the kernel that tells fam when files
have changed. When applications tell fam they're interested in files or
directories, fam passes that interest on to imon. When file operations are
performed on files monitored by imon, the kernel tells imon; imon tells fam, and
fam notifies the applications which are interested in the files.

imon was originally written for the IRIX kernel in 1989 by Wiltse Carpenter; the
Linux port was done by Roger Chickering. The Linux implementation in the imon
kernel patch is similar to the IRIX implementation in most ways, but it hooks
into the kernel filesystem code differently.