From owner-freebsd-questions Sun Feb 9 15:59:44 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81B1437B401 for ; Sun, 9 Feb 2003 15:59:42 -0800 (PST) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0E0A43F85 for ; Sun, 9 Feb 2003 15:59:41 -0800 (PST) (envelope-from krfogleman@comcast.net) Received: from comcast.net (pcp866891pcs.siestk01.fl.comcast.net [68.56.217.71]) by mtaout06.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.09 (built Jan 7 2003)) with ESMTP id <0HA200JOIFY9GO@mtaout06.icomcast.net> for freebsd-questions@freebsd.org; Sun, 09 Feb 2003 18:58:57 -0500 (EST) Date: Sun, 09 Feb 2003 19:00:11 -0500 From: Kevin Fogleman Subject: Re: Monitoring the entire filesystem? In-reply-to: To: freebsd-questions@freebsd.org Message-id: <3E46EB8B.3080702@comcast.net> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130 References: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I was thinking more along the lines of realtime notification of changes, instead of using a program to poll all files that you would want to monitor, which would be inefficient. Something along the lines of FAM, but more scalable. http://oss.sgi.com/projects/fam/ --Kevin Fogleman Allan Dib wrote: > I use /usr/ports/security/tripwire-131 > > Works great... > > > -Allan > > > On Monday, February 10, 2003, at 06:44 AM, Kevin Fogleman wrote: > >> Is there an existing way to monitor the entire filesystem for changes >> to any file, particularly changes in extended attributes? >> >> I've read over the documentation for kqueue, but some things were >> left unclear. For example, it appears the man page has not been >> updated for 5.0 and thus doesn't specify whether or how extended >> attributes can be monitored for modifications. Also, it appears that >> kqueue needs a file descriptor for each file that one would want to >> monitor, making any large-scale file monitoring impractical. Is >> there any other way in FreeBSD to be notified of file modifications >> in a way that would allow one to monitor the whole file system or >> large portions of it? I don't really need to know whether a >> particular attribute changed, but rather just whether any of them >> changed. >> >> --Kevin Fogleman >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message