Re: Monitoring File Access (Read / Write)
Re: Monitoring File Access (Read / Write)
- Subject: Re: Monitoring File Access (Read / Write)
- From: Justin Walker <email@hidden>
- Date: Thu, 17 Jun 2004 14:42:42 -0700
On Jun 17, 2004, at 14:15, Krishna Monian wrote:
Hi All,
Is it possible to write some sort of kernel mode app
that hooks on to all file system calls / IO calls and
logs all of these ?
No really. Since the source is available, you can always hack away to
your heart's content, but this kind of approach really isn't going to
work in the long run. In addition, it only works on your system (or on
those belonging to people you can con into running your kernel :-}).
I took a look at the File Alteration Monitor (FAM) but
that doesn't achieve this completely. It doesn't log
file reads.
I am basically trying to write a utility that will log
every file that is accessed (read / write) in a
particular directory in the system.
What would be the best way to go about doing this? Is
a kernel hook the only way? Is there anything that has
already been done along these lines (quite sure it
has)?
The only way to do this is with some kind of kernel assistance.
Hacking into dispatch tables won't, in all likelihood, survive new
releases of the kernel, though. This approach is frowned on.
I'd suggest, as someone already has, looking at ktrace, or perhaps,
fs_usage. The source for both is available. This is a polling type of
interface, though, so you need to apply it with some care and
forethought. There is no notification mechanism for file access.
Regards,
Justin
--
Justin C. Walker, Curmudgeon-At-Large *
Institute for General Semantics | Men are from Earth.
| Women are from Earth.
| Deal with it.
*--------------------------------------*-------------------------------*
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.