Date: Mon, 7 Feb 2005 00:44:45 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Nick Strebkov <nick@humgat.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Question: tracking filesystem changes? Message-ID: <Pine.NEB.3.96L.1050207004338.61595D-100000@fledge.watson.org> In-Reply-To: <20050206232304.GA2346@nicks.ipnet.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 7 Feb 2005, Nick Strebkov wrote: > > The TrustedBSD Audit code should be able to fill this need -- the goal of > > the Audit code is to be able to track "security critical events" in a > > configurable way, so file open/link/symlink/unlink operations are an > > important subset of that. We hope to integrate the Audit code into 6.x in > > the next few months, and then (in as much as is possible given kernel ABI > > requirements) merge for 5.5. However, this is some time away still, so > > presumably can't help in the short term. The result, though, is an event > > stream file that's mechanically parseable, and the even stream can be > > configured to indicate which types of events are important at a fairly > > fine granularity. > > Sounds great. But i have similar tasks (not so huge amount of files) > and i'd prefer to extend kqueue/kevent with EVFILT_INODE filter to have > ability to monitor changes in file without opening it. What mechanism do you have in mind for KQueue to notify you as to which file had an event? Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1050207004338.61595D-100000>