Cruxfilemond is a lightweight file system monitoring daemon built for Linux using the fanotify API. It tracks file access and modification events within specified directories, providing users with detailed logs of filesystem activity in real time.
Monitors file access and modification events in real time using fanotify.
Supports logging of basic file events (read, write) with timestamps.
Gracefully handles signals like SIGHUP (reload configuration) and SIGTERM (terminate daemon).
Simple configuration file to add watch directories/files via a .config/cf.conf file in the root directory of the project.
Future releases aim to add:
Support for nested directory monitoring.
- Enhanced logging with user-defined log formats and event types.
- Config file monitoring and reloading on the fly.
- Installation
- Usage
- Configuration
- Logging
- Signals
- Performance
- Contributing
- License
Clone the repository:
git clone https://github.com/c0d-0x/cruxfilemond.gitcd cruxfilemond
mkdir bin
mkdir .config ## for configuration
make- Usage: add a dir or a file to be watch in
cruxfilemond/.config/cf.conffile
sudo ./cruxfilemond -d # to run in debug, interactive modeThe daemon will log all file access and modification events to the console or log file (if specified).
-d : Run as a daemon in the background.
-v : Verbose mode for additional logging details.
Example:
sudo ./bin/cruxfilemond -dThis is done in the ./.config/cf.conf
Cruxfilemond logs events such as file accesses and modifications. The log output includes:
- Timestamp: When the event occurred.
- Event Type: File read or write - [ACCESS or MODIFIED].
- File Path: Full path of the affected file.
- Process Info: PID and name of the process accessing the file.
- logs in json format.
{
"date":"Fri Jan 31 16:45:17 2025",
"file":"/home/c0d_0x/secret.txt",
"process":"cat",
"event":"FILE ACCESSED",
"state":"(running)",
"umask":"0022",
"username":"c0d_0x"
}Cruxfilemond responds to the following signals:
- SIGTERM: Gracefully shuts down the daemon.
- Loads configuration: Reads the configuration file and builds a list of paths to monitor.
- Creates fanotify instance: Initializes a fanotify file descriptor with appropriate flags.
- Adds watches: Adds watches for each configured path using fanotify_mark.
- Event loop: Continuously reads events from the fanotify file descriptor.
- Event handling: Processes events, retrieves process information, and optionally logs events.
- Linux kernel with fanotify support
- poll library
- Standard C libraries
Cruxfilemond is optimized for lightweight monitoring of directories. For larger systems with many files, the following performance improvements are planned:
- Recursive directory monitoring to track nested directories.
- Batch event processing to reduce resource consumption under high load.
- Contributions
Contributions are welcome! If you’d like to help improve Cruxfilemond, consider working on the following areas:
- Adding recursive directory monitoring.
- Implementing support for different file event types (creation, deletion, permission changes).
- Optimizing resource usage through epoll or multi-threading.
- Enhancing logging to support custom formats and integration with syslog or SIEM systems.
- Feel free to fork the repository, submit issues, or create pull requests.
Here’s a glimpse of upcoming features and enhancements:
- Nested directory monitoring.
- Configurable logging output.
- Memory and resource optimization.
- Web-based dashboard for real-time monitoring.
For any questions, feel free to reach out through the repository's issues page or email: [email protected]