Making a kernel change. Where do I begin?

dman65 · 04-22-2005, 09:25 AM

I think I need to make a kernel change in order to meet some system requirements.

Basically, whenever someone accesses a file on one of my servers I need to log the user id, the file name, and the time the file was accessed. I am thinking that in order to do this I would need to update whatever part of the kernel updates the last access time associated with files. Of course, I would have to be careful and not write an entry for the actual file I am logging to since i assume that would create some sort of endless loop.

I also thought while I was at it, i might as well make a change that would write to a log file whenever a file is changed. It seems that this would make backing up a particularly large directory on that machine much easier since I wouldn't have to list every file in the directory and then get a stat() for it to see if it had been updated in the last hour. That is what I currently do and it takes 30 minutes just to query all of the files.

Can anyone tell me:

A) Whether or not something like this has already been done

B) If it hasn't, where would I begin to find the necessary information on how to do this.

Thanks for any assistance.

Darrell

osvaldomarques · 04-22-2005, 10:50 AM

Hi Darrell,

I think what you want is inotify. I have no experience with it, but the docs suggest it is highly configurable.

Regards,

Osvaldo.

dman65 · 04-22-2005, 02:26 PM

Thanks Osvaldo,

It looks like this would definitely work for my backup requirements. Unfortunately, it doesn't really address creating a file access log since the function doesn't seem to report any information about the user who is causing the event.

I am really kind of surprised that Linux does not have a native logging function that records user's file access. I have always heard how secure Linux was, but it doesn't have this basic requirement. HIPAA regulations in the US require that any access to files containing electronic protected health information be logged so Linux would not even meet this basic requirement.

gnashley · 04-22-2005, 02:26 PM

fam the File Alteration Monitor?

dman65 · 04-22-2005, 02:40 PM

I took a look at FAM, but I couldn't see in the documentation that is returns the user name or user id of who actually opened or created a file, only that the file was opened or created.