From owner-freebsd-hackers@FreeBSD.ORG  Thu Nov 17 17:15:14 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 00A5816A420
	for <freebsd-hackers@freebsd.org>; Thu, 17 Nov 2005 17:15:13 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B174143D49
	for <freebsd-hackers@freebsd.org>; Thu, 17 Nov 2005 17:15:13 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id DAD4B46BCA;
	Thu, 17 Nov 2005 12:15:12 -0500 (EST)
Date: Thu, 17 Nov 2005 17:15:12 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: "Giovanni P. Tirloni" <gpt@tirloni.org>
In-Reply-To: <437CB004.2000401@tirloni.org>
Message-ID: <20051117171414.L77687@fledge.watson.org>
References: <a9f55af40511170707n3dd70429t48d85acf9b3be5f4@mail.gmail.com>
	<437CB004.2000401@tirloni.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-hackers@freebsd.org, Cornelis Swanepoel <rools.ster@gmail.com>
Subject: Re: Filesystem monitoring question
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2005 17:15:14 -0000


On Thu, 17 Nov 2005, Giovanni P. Tirloni wrote:

> Using kqueue you can monitor a file/directory for changes and have it 
> trigger something when that event happens. But you want to monitor you 
> whole partition.. perhaps intercept some syscalls ?

Depending on your requirements, you may be able to use ktrace(1) to 
monitor the path lookups of all processes on the system by logging them to 
a file and tracking the file.

With Audit support, shortly to be imported into the tree, you'll be able 
to do similar things, although in a more configurable way.

Robert N M Watson