LIFL, or its full name, Linux Filesystem Logger, is a new, rewritten version of loggedfs, a filesystem activities logging daemon, based on FUSE.
LIFL logs any file system call inside a given directory-path, in details.
To describe the prosject I will summarise the functionality of the program in a list:
Fully configurable with On/Off switches for performance.
Remote logging with MySQL.
Logging of lstat, access, readlink, readdir, mknod, mkdir, unlink, rmdir, symlink, rename, link, chmod, chown, truncate, utimens, open, read, write, statfs, fallocate, setxattr, getxattr, listxattr and removexattr.
SQL provides flexibility to represent the log data.
Logs system error messages.
Monitor write calls and log a copy of the write buffer with options to target the command, effective user id and write sizes of the write calls.
Logging of time, hostname, user id, group id, username and groupname.
Logging of TTY, login time and remote host.
Logging command, arguments, process id, parent process command and parent process id.
And file, path, file protection, file owner and group.
This project need some big testing. I think I will set up a honeypot to see if the program has the expected behavior, and to see if I am able to find some valuable results.
(If so I will come back with another post about that.)
See Github page.