From owner-freebsd-hackers@FreeBSD.ORG  Mon Feb  7 00:45:42 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D1E2916A4CE
	for <freebsd-hackers@freebsd.org>;
	Mon,  7 Feb 2005 00:45:42 +0000 (GMT)
Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7988943D39
	for <freebsd-hackers@freebsd.org>;
	Mon,  7 Feb 2005 00:45:42 +0000 (GMT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by cyrus.watson.org (Postfix) with SMTP id B4D9246B33;
	Sun,  6 Feb 2005 19:45:41 -0500 (EST)
Date: Mon, 7 Feb 2005 00:44:45 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Nick Strebkov <nick@humgat.org>
In-Reply-To: <20050206232304.GA2346@nicks.ipnet.kiev.ua>
Message-ID: <Pine.NEB.3.96L.1050207004338.61595D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: Deomid Ryabkov <myself@rojer.pp.ru>
cc: Milan Obuch <milan@dino.sk>
cc: freebsd-hackers@freebsd.org
Subject: Re: Question: tracking filesystem changes?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2005 00:45:42 -0000


On Mon, 7 Feb 2005, Nick Strebkov wrote:

> > The TrustedBSD Audit code should be able to fill this need -- the goal of
> > the Audit code is to be able to track "security critical events" in a
> > configurable way, so file open/link/symlink/unlink operations are an
> > important subset of that.  We hope to integrate the Audit code into 6.x in
> > the next few months, and then (in as much as is possible given kernel ABI
> > requirements) merge for 5.5.  However, this is some time away still, so
> > presumably can't help in the short term.  The result, though, is an event
> > stream file that's mechanically parseable, and the even stream can be
> > configured to indicate which types of events are important at a fairly
> > fine granularity.
> 
> Sounds great. But i have similar tasks (not so huge amount of files) 
> and i'd prefer to extend kqueue/kevent with EVFILT_INODE filter to have
> ability to monitor changes in file without opening it. 

What mechanism do you have in mind for KQueue to notify you as to which
file had an event?

Robert N M Watson