Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/santoru/filewatcher
A simple auditing utility for macOS
https://github.com/santoru/filewatcher
auditing filesystem macos malware monitoring security-audit
Last synced: 5 days ago
JSON representation
A simple auditing utility for macOS
- Host: GitHub
- URL: https://github.com/santoru/filewatcher
- Owner: santoru
- License: gpl-3.0
- Created: 2017-07-02T21:49:19.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2021-03-20T21:00:34.000Z (almost 4 years ago)
- Last Synced: 2025-01-03T13:11:25.808Z (12 days ago)
- Topics: auditing, filesystem, macos, malware, monitoring, security-audit
- Language: C
- Size: 3.74 MB
- Stars: 282
- Watchers: 16
- Forks: 39
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-hacking-lists - santoru/filewatcher - A simple auditing utility for macOS (C)
README
# filewatcher
## a simple auditing utility for macOSFilewatcher is an auditing and monitoring utility for macOS.
It can audit all events from the system auditpipe of macOS and filter them by process or by file.
You can use this utility to:
- Monitor access to a file, or a group of files.
- Monitor activity of a process, and which resources are accessed by that process.
- Build a small Host-Based IDS by monitoring access or modifications to specific files.
- Do an dynamic malware analysis by monitoring what the malware is using on the filesystem.If you want to read more about how it works, [check my blog](https://insecurity.blog/2017/07/02/mac-os-real-time-auditing/).
### Installation
Just run make to compile it and then ./bin/filewatcher.```
Usage: ./bin/filewatcher [OPTIONS]
-f, --file Set a file to filter
-p, --process Set a process name to filter
-a, --all Display all events (By default only basic events like open/read/write are displayed)
-d, --debug Enable debugging messages to be saved into a file
-h, --help Print this help and exit
```
### Expected output: