Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mranv/ebpf-file-monitor

This utility allows users to track changes in a specified file and prints a timestamp when modifications occur.
https://github.com/mranv/ebpf-file-monitor

bcc cargo ebpf ebpf-programs inotify rust-lang

Last synced: 3 months ago
JSON representation

This utility allows users to track changes in a specified file and prints a timestamp when modifications occur.

Host: GitHub
URL: https://github.com/mranv/ebpf-file-monitor
Owner: mranv
License: mit
Created: 2024-01-11T01:57:43.000Z (almost 1 year ago)
Default Branch: master
Last Pushed: 2024-03-05T09:33:09.000Z (10 months ago)
Last Synced: 2024-09-28T20:05:25.853Z (3 months ago)
Topics: bcc, cargo, ebpf, ebpf-programs, inotify, rust-lang
Language: Rust
Homepage: https://github.com/mranv/ebpf-file-monitor
Size: 275 KB
Stars: 3
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

README

Linux based File Monitoring using eBPF

`ebpf-file-monitor` is a slick Rust program that keeps an eagle-eye on your files and alerts you the moment changes occur!

## Features

- Uses cutting-edge eBPF technology to trace file events
- Prints out a timestamp the instant your file is modified
- Works smoothly across Linux, Windows and MacOS

## Prerequisites

- Rust 1.56+ (get the latest and greatest)
- Cargo (Rust's sweet package manager)
- Any mainstream OS - Linux, Windows or MacOS
- libbpf and bcc libraries (eBPF's dynamic duo)

## Installation

```bash
# Clone this puppy
git clone https://github.com/mranv/ebpf-file-monitor.git

# Hop into the directory
cd ebpf-file-monitor

# Install bcc and libbpf if needed

# For Fedora/RedHat:
sudo yum install bcc bpf
# For Debian/Ubuntu:
sudo apt-get install libbpf-dev libbcc-dev

# Build
cargo build --release
```

## Usage

Update the `FILE_PATH` to the file you want to keep an eye on.

Let this watchdog loose:

```
./target/release/ebpf-file-monitor
```

Now it'll print a timestamp immediately when that file changes.

So you can catch co-workers messing with your stuff! Or track edits on your top secret novel.

## Implementation

- Uses libbpf to load sneaky eBPF programs that trace `open` and `write` syscalls.
- Filters for events on your target file.
- When a modify event occurs, bam! prints the timestamp.
- eBPF + bcc = smooth cross-platform action.

## Limitations

- Watches only one file at a time.
- Needs eBPF/bcc libraries installed.

## Contributions

Ideas to improve this little watchdog are welcome! Woof woof!