- Notifications
You must be signed in to change notification settings - Fork4
kanurag94/filemonitor
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
ebpf based Filemonitoring
usage: filemonitor.py [-h] [-f FILE] [-r] [-w] [-p] [-c] [-d]Monitors file actionsoptional arguments: -h, --help show this help message and exit -f FILE, --file FILE give config filepath -r, --read trace read events -w, --write trace write events -p, --rename trace rename events -c, --create trace create events -d, --delete trace delete eventsExample: ./filemonitor -r # traces read of /var/log/syslog ./filemonitor -f /path/to/config # traces filepaths in path for all events ./filemonitor -f /path/to/config -d # traces filepaths in path for delete eventsPID UID CPU PROC FPATH COMM OPRN11351 1000 1 test_file_12.txt cat READ11375 1000 1 test_file_12.txt vi READ11397 1000 0 test_file_12.txt vi READ11397 1000 0 test_file_12.txt vi WRITE11441 1000 0 test_file_12.txt mv RENAME11463 1000 0 a rm DELETE- Clone the repository
git clone https://github.com/kanurag94/filemonitor.git cd filemonitor- For debian and ubuntu:
sudo make all filemonitor -hto check- For other distributions visit:https://github.com/iovisor/bcc/blob/master/INSTALL.md and run
sudo run.sh
- A BPFHASH map keeps inode entries of the files supplied as config.
- Listens to read, create, delete, rename, write events on the inodes.
process pathto be addeduser tty idto be added