LIFL, or its full name, Linux Filesystem Logger, is a new, rewritten version of loggedfs, a filesystem activities logging daemon, based on FUSE.

LIFL logs any file system call inside a given directory-path, in details.

To describe the prosject I will summarise the functionality of the program in a list:

  • Fully configurable with On/Off switches for performance.
  • Remote logging with MySQL.
  • Logging of lstat, access, readlink, readdir, mknod, mkdir, unlink, rmdir, symlink, rename, link, chmod, chown, truncate, utimens, open, read, write, statfs, fallocate, setxattr, getxattr, listxattr and removexattr.
  • SQL provides flexibility to represent the log data.
  • Logs system error messages.
  • Monitor write calls and log a copy of the write buffer with options to target the command, effective user id and write sizes of the write calls.
  • Logging of time, hostname, user id, group id, username and groupname.
  • Logging of TTY, login time and remote host.
  • Logging command, arguments, process id, parent process command and parent process id.
  • And file, path, file protection, file owner and group.
  • This project need some big testing. I think I will set up a honeypot to see if the program has the expected behavior, and to see if I am able to find some valuable results.

    (If so I will come back with another post about that.)

    See Github page.