Slashdot Mirror

← Back to Stories (view on slashdot.org)

Watching Under The Hood Of Tiger's Spotlight

Posted by Hemos on from the looking-at-it dept.

jaketheitguy writes "Over at KernelThread.com, Amit Singh has released a commandline app called FSLogger for looking under the hood of Tiger's Spotlight. You can watch all kinds of filesystem changes going on in realtime. The utility apparently intercepts and displays filesystem change data as it goes out to Spotlight from the kernel. It even tells you which app is making the changes. Looks like Apple has included some pretty powerful API's in Tiger and there may be some othre really interesting uses of this API as mentioned on the app's page. I for one would really like to be able to tell if somebody changed ANY files on my system without my knowledge. I think you can do that with Singh's program, but how do you make sure somebody cannot disable the program?"

2 of 43 comments (clear)

  1. Tripwire by @madeus · · Score: 3, Informative

    Actually you can get this functionality already in a long standing Unix utility called Tripwire.

    http://www.tripwire.com/
    http://sourceforge.net/projects/tripwire/

    There is even a Mac OS X version now it seems:
    http://www.macguru.net/~frodo/Tripwire-osx.html

    Of course you'd probably then want an OS that implements some form of relevant Mandatory Access Control / POSIX.1e (e.g. LIDS for Linux, Trusted Solaris, or Argus Pitbull (Linux/Solaris)) to help prevent the intruder from interfering with Tripwire itself.

  2. Tracking changes to the file system by Simon+Spero · · Score: 3, Informative
    There's a system call that lets user-space programs subscribe to a lot of interesting kernel level events.

    Take a look at the kqueue(2) man page.

    There are more details available at http://people.freebsd.org/~jlemon/papers/kqueue.pd f