From owner-freebsd-hackers@FreeBSD.ORG  Fri Feb  4 11:35:31 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 941E216A4CE
	for <freebsd-hackers@freebsd.org>;
	Fri,  4 Feb 2005 11:35:31 +0000 (GMT)
Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 233C943D49
	for <freebsd-hackers@freebsd.org>;
	Fri,  4 Feb 2005 11:35:31 +0000 (GMT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by cyrus.watson.org (Postfix) with SMTP id 470D346B3F;
	Fri,  4 Feb 2005 06:35:30 -0500 (EST)
Date: Fri, 4 Feb 2005 11:34:40 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Deomid Ryabkov <myself@rojer.pp.ru>
In-Reply-To: <4200DCF6.1010002@rojer.pp.ru>
Message-ID: <Pine.NEB.3.96L.1050204113053.6650T-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-hackers@freebsd.org
cc: Milan Obuch <milan@dino.sk>
Subject: Re: Question: tracking filesystem changes?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2005 11:35:31 -0000


On Wed, 2 Feb 2005, Deomid Ryabkov wrote:

> No, won't do the trick either.  I cannot afford setting up watchdogs for
> every file or even every directory.  And I'm essentially "interested" in
> every one of them (for mirroring purposes).  A more general approach is
> needed.  E.g., if an unlink call is issued and an inode is within a
> particular filesystem (luckily, most of our data already lives on or can
> be easily moved to a separate filesystem), a notice is sent to some
> userland daemon:  "file /www/xxx/yyy.shtml is unlinked". Or opened for
> writing, or renamed... etc.  The file is then scheduled for distribution
> to mirrors.  The idea seems simple and straightforward, yet I don't know
> if it is achievable. 
> 
> The essential part is obtaining the full pathname of the file (won't
> bother with hardlinks at first, they aren't used here).  Could that be
> done with the FreeBSD's filesystem (vnode/vfs?) code? (which I'm not
> familiar with) 

The TrustedBSD Audit code should be able to fill this need -- the goal of
the Audit code is to be able to track "security critical events" in a
configurable way, so file open/link/symlink/unlink operations are an
important subset of that.  We hope to integrate the Audit code into 6.x in
the next few months, and then (in as much as is possible given kernel ABI
requirements) merge for 5.5.  However, this is some time away still, so
presumably can't help in the short term.  The result, though, is an event
stream file that's mechanically parseable, and the even stream can be
configured to indicate which types of events are important at a fairly
fine granularity.

Robert N M Watson