|
2 | 2 |
|
3 | 3 |  |
4 | 4 |
|
5 | | -Filesystem Monitor utility for Linux, Android, iOS and macOS. |
| 5 | +Low level filesystem monitor utility for Linux, Android, iOS and macOS. |
6 | 6 |
|
7 | | -Brought to you by *Sergi Àlvarez* at **Nowsecure** and distributed under the **MIT** license. |
| 7 | +- **Author**: pancake @ nowsecure |
| 8 | +- **License**: MIT |
| 9 | + |
| 10 | +Designed for |
| 11 | + |
| 12 | +- System administrators and incident responders |
| 13 | +- Security researchers and forensic analysts |
| 14 | +- Developers debugging I/O-heavy applications |
| 15 | +- Reverse engineers interested in observing filesystem access behavior |
8 | 16 |
|
9 | | -**Contact**: pancake@nowsecure.com |
10 | 17 |
|
11 | 18 | ## Installation |
12 | 19 |
|
@@ -54,55 +61,86 @@ Examples: |
54 | 61 | $ |
55 | 62 | ``` |
56 | 63 |
|
57 | | -## Backends |
| 64 | +## 🔍 Key Features of fsmon |
58 | 65 |
|
59 | | -fsmon filesystem information is taken from different backends depending on the operating system and apis available. |
| 66 | +`fsmon` is a low-level, cross-platform filesystem monitor designed for developers, forensic analysts, and reverse engineers. It works by hooking into the OS kernel's tracing facilities or file notification APIs. |
60 | 67 |
|
61 | | -This is the list of backends that can be listed with `fsmon -L`: |
| 68 | +### ✅ Supported Platforms |
62 | 69 |
|
63 | | -* inotify (linux / android) |
64 | | -* fanotify (linux > 2.6.36 / android with custom kernel) |
65 | | -* devfsev (osx /dev/fsevents - requires root) |
66 | | -* kqueue (xnu - requires root) |
67 | | -* kdebug (bsd?, xnu - requires root) |
68 | | -* fsevapi (osx filesystem monitor api) |
| 70 | +- **Android**: via `inotify`, `fanotify` is not always supported |
| 71 | +- **Linux**: via `inotify` and `fanotify` |
| 72 | +- **macOS**: using `kdebug`, `FSEvents`, `kqueue`, and `/dev/fsevents` |
| 73 | +- **iOS** (limited support through FSEvent APIs) |
69 | 74 |
|
70 | | -## Compilation |
| 75 | +### Core Capabilities |
71 | 76 |
|
72 | | -fsmon is a portable tool. It works on iOS, OSX, Linux and Android (x86, arm, arm64, mips) |
| 77 | +- **Real-Time File Monitoring** |
| 78 | + Detects and reports file operations such as creation, deletion, modification, attribute changes, and renames in real-time. |
73 | 79 |
|
74 | | -*Linux* |
| 80 | +- **Multi-Backend Support** |
75 | 81 |
|
76 | | -```bash |
77 | | -$ make |
78 | | -``` |
| 82 | + Automatically selects the best available monitoring backend or allows users to choose: |
| 83 | + - `inotify`, `fanotify` (Linux) |
| 84 | + - `fsevapi`, `kdebug`, `devfsev`, `kqueue` (iOS / macOS) |
79 | 85 |
|
80 | | -*OSX + iOS fatbin* |
| 86 | + The list of backends can be listed with `fsmon -L`. |
81 | 87 |
|
82 | | -```bash |
83 | | -$ make |
84 | | -``` |
| 88 | +- **Process-Level Insights** |
| 89 | + Associates file events with process names, PIDs, and UIDs, where possible. |
85 | 90 |
|
86 | | -*iOS* |
| 91 | +- **Recursive Monitoring** |
| 92 | + Monitors entire directory trees recursively, dynamically adding new directories. |
87 | 93 |
|
88 | | -```bash |
89 | | -$ make ios |
90 | | -``` |
| 94 | +- **JSON Output Format** |
| 95 | + Supports structured logging in JSON or JSON stream mode for easy integration with other tools (e.g. `jq`, `ELK`, etc). |
91 | 96 |
|
92 | | -*Android* |
| 97 | +- **Filename Filtering & Formatting** |
| 98 | + Optionally strips full paths, shows only filenames, and colorizes output based on event type. |
93 | 99 |
|
94 | | -```bash |
95 | | -$ make android NDK_ARCH=<ARCH> ANDROID_API=<API> |
96 | | -``` |
| 100 | +- **Selective Monitoring** |
| 101 | + Filter events by: |
| 102 | + - Specific process name (`-P`) |
| 103 | + - Specific PID (`-p`) |
| 104 | + - Child processes (`-c`) |
| 105 | + - Files under a given path |
97 | 106 |
|
98 | | -To get fsmon installed system wide just type: |
| 107 | +- **Backup on Event** |
| 108 | + Automatically copies affected files to a backup directory when changes are detected (`-b`). |
| 109 | + |
| 110 | +- **Timestamping** |
| 111 | + Adds timestamps to each event to facilitate forensic analysis. |
| 112 | + |
| 113 | +- **Minimal Dependencies** |
| 114 | + Written in portable C with no runtime dependencies beyond standard libraries. |
| 115 | + |
| 116 | +- **Graceful Shutdown & Signal Handling** |
| 117 | + Handles `SIGINT`, `SIGTERM`, and `SIGALRM` to allow clean exits and timed monitoring sessions. |
| 118 | + |
| 119 | +### 🧪 Event Types Tracked |
| 120 | + |
| 121 | +Examples of events that `fsmon` can detect: |
| 122 | + |
| 123 | +- `CREATE_FILE`, `DELETE`, `RENAME` |
| 124 | +- `OPEN`, `CLOSE`, `STAT_CHANGED` |
| 125 | +- `CHOWN`, `CHMOD`, `XATTR_MODIFIED` |
| 126 | +- `CONTENT_MODIFIED`, `EXCHANGE`, `FINDER_INFO_CHANGED` |
| 127 | + |
| 128 | +## Compilation |
| 129 | + |
| 130 | +fsmon is a portable tool. It works on iOS, OSX, Linux and Android (x86, arm, arm64, mips) |
99 | 131 |
|
100 | 132 | ```bash |
101 | | -$ make install |
| 133 | +$ make |
102 | 134 | ``` |
103 | 135 |
|
104 | | -Changing installation path... |
| 136 | +Crosscompilation to iOS/Android is made easy by just running `make ios` or `make android`: |
105 | 137 |
|
106 | 138 | ```bash |
107 | | -$ make install PREFIX=/usr DESTDIR=/ |
| 139 | +$ make android NDK_ARCH=<ARCH> ANDROID_API=<API> |
108 | 140 | ``` |
| 141 | + |
| 142 | +## License |
| 143 | + |
| 144 | +This tool is free software developed by [NowSecure](https://nowsecure.com) and distributed under the MIT license. |
| 145 | + |
| 146 | +You can reach out **Sergi Alvarez** via email [pancake@nowsecure.com](mailto:pancake@nowsecure.com) |
0 commit comments