Date: Mon, 7 Feb 2005 01:23:05 +0200 From: Nick Strebkov <nick@humgat.org> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Question: tracking filesystem changes? Message-ID: <20050206232304.GA2346@nicks.ipnet.kiev.ua> In-Reply-To: <Pine.NEB.3.96L.1050204113053.6650T-100000@fledge.watson.org> References: <4200DCF6.1010002@rojer.pp.ru> <Pine.NEB.3.96L.1050204113053.6650T-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > > No, won't do the trick either. I cannot afford setting up watchdogs for > > every file or even every directory. And I'm essentially "interested" in > > every one of them (for mirroring purposes). A more general approach is > > needed. E.g., if an unlink call is issued and an inode is within a > > particular filesystem (luckily, most of our data already lives on or can > > be easily moved to a separate filesystem), a notice is sent to some > > userland daemon: "file /www/xxx/yyy.shtml is unlinked". Or opened for > > writing, or renamed... etc. The file is then scheduled for distribution > > to mirrors. The idea seems simple and straightforward, yet I don't know > > if it is achievable. > > > > The essential part is obtaining the full pathname of the file (won't > > bother with hardlinks at first, they aren't used here). Could that be > > done with the FreeBSD's filesystem (vnode/vfs?) code? (which I'm not > > familiar with) > > The TrustedBSD Audit code should be able to fill this need -- the goal of > the Audit code is to be able to track "security critical events" in a > configurable way, so file open/link/symlink/unlink operations are an > important subset of that. We hope to integrate the Audit code into 6.x in > the next few months, and then (in as much as is possible given kernel ABI > requirements) merge for 5.5. However, this is some time away still, so > presumably can't help in the short term. The result, though, is an event > stream file that's mechanically parseable, and the even stream can be > configured to indicate which types of events are important at a fairly > fine granularity. Sounds great. But i have similar tasks (not so huge amount of files) and i'd prefer to extend kqueue/kevent with EVFILT_INODE filter to have ability to monitor changes in file without opening it. -- Nick Strebkov Public key: http://humgat.org/~nick/pubkey.txt fpr: 552C 88D6 895B 6E64 F277 D367 8A70 8132 47F5 C1B6
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050206232304.GA2346>