Skip to content

Latest commit

 

History

History
48 lines (34 loc) · 1.17 KB

README.md

File metadata and controls

48 lines (34 loc) · 1.17 KB

file-audit-system

File monitoring software that will log file access to configured directories on the system.

Assumptions

  • Linux OS
  • Recent version of linux kernel, I used 5.3.7
  • systemd based OS
  • libaudit is available and installed in the system
  • libpthread is available and installed in the system
  • auditd and friends are available and installed in the system

Debugging

  • Reinstall new version:
    • sudo killall auditd && make && sudo make install && sudo systemctl start auditd
  • Gdb analysis of core in case of crash
    • sudo coredumpctl -1 gdb
  • Following debugging output
    • journalctl -fu auditd

Install

1. Build

  • mkdir build
  • cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo ..
  • make
  • sudo make install

2. Run install.sh

  • sudo install.sh

See it in action:

  • tail -f /tmp/file-monitor.log
    • Change above for different logs
  • journalctl -fu auditd
    • Watch here for any relevant app logs

Todo

  • Is nametype truly the file access type?
  • Add executable arguments to specify different config file
  • Not such a hardcoded config file location ("/etc/file-monitor.conf")
  • Make audit events logged configurable