real-time file monitoring at the kernel level

From: Ben Breuninger (benb@uncontrolled.org)
Date: Wed Apr 11 2001 - 06:19:31 EST


Hello,

I was wondering if anyone has a patch, or is working on something for what
im looking for, or if they are interested in an idea i have (forgive me if
this is someone elses idea, ill give credit to them), for file monitoring
at the kernel level.
I have put up a brief explanation of what im looking for at
http://flog.uncontrolled.org/, but in a nutshell, it is this:

a kernel patch (or module) that would allow me to have, say, /proc/flog,
which shows real-time file monitoring information, which could be tail
-f'd like so:

root@server~# tail -f /proc/flog
modify: root "/var/log/auth.log" 20000410150229
access: root "/etc/passwd" 20000410150324
modify: root "/etc/passwd" 20000410150441
remove: root "/var/log/auth.log" 20000410150502
create: root "/usr/bin/.. /" 20000410150534
create: root "/usr/bin/.. /backdoor" 20000410150627
modify: bob "/home/bob/mailbox" 20000410150854
modify: root "/var/www/htdocs/index.html" 20000410150927

the above would describe a theoretical breakin from a hacker, which i
believe would be extremely useful in intrusion detection. My idea of this
is further outlined at http://flog.uncontrolled.org/, including
theoretical usage, practice, description, etc.
The reason i ask the linux-kernel community is my coding ability does not
allow me to hack at the kernel, and so i would need help with this, or any
other information that would point me in the right direction that im
looking for.

If someone is interested in this, or has any information whatsoever,
please let me know!

thanks,
benb@uncontrolled.org

PS: im not looking for LIDS

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Apr 15 2001 - 21:00:16 EST