Slashdot Mirror
Watching Under The Hood Of Tiger's Spotlight
jaketheitguy writes "Over at KernelThread.com, Amit Singh has released a commandline app called FSLogger for looking under the hood of Tiger's Spotlight. You can watch all kinds of filesystem changes going on in realtime. The utility apparently intercepts and displays filesystem change data as it goes out to Spotlight from the kernel. It even tells you which app is making the changes. Looks like Apple has included some pretty powerful API's in Tiger and there may be some othre really interesting uses of this API as mentioned on the app's page. I for one would really like to be able to tell if somebody changed ANY files on my system without my knowledge. I think you can do that with Singh's program, but how do you make sure somebody cannot disable the program?"
I used to be a lonely nerd, but thanks to Spotlight I can:
- Run Faster
- Jump Higher
- Score with the chicks
- Regrow lost hair!
Conformity is the jailer of freedom and enemy of growth. -JFK
Actually you can get this functionality already in a long standing Unix utility called Tripwire.
http://www.tripwire.com/
http://sourceforge.net/projects/tripwire/
There is even a Mac OS X version now it seems:
http://www.macguru.net/~frodo/Tripwire-osx.html
Of course you'd probably then want an OS that implements some form of relevant Mandatory Access Control / POSIX.1e (e.g. LIDS for Linux, Trusted Solaris, or Argus Pitbull (Linux/Solaris)) to help prevent the intruder from interfering with Tripwire itself.
Take a look at the kqueue(2) man page.
There are more details available at http://people.freebsd.org/~jlemon/papers/kqueue.pd f
Interesting. Steve Jobs is out of the office these days... http://www.thinksecret.com/news/0505itunes49.html