filemon - An FSEvents client

File Monitor (filemon) is another one of the freeware utilities I wrote as an example of using FSEvents directly for my book. The original example was really simple, and buggy at times - but nonetheless useful, as it allowed tracking filesystem activity in OS X - and (more importantly) iOS. I've fixed the bugs along the way, and now - with MOXiI's 2nd Edition around the corner - it's time to do a version 2.0 of this one.

What's new

File Monitor 2.0 can not just log events, but also respond to them. There are two new actions which may be taken by the tool automatically on a matching event:

Note that both actions aren't guaranteed, because there is a latency in FSEvents. Blame XNU, not me. So there are cases where by the time the process has been stopped it may have already snuck a few more operations (or, in some cases, exited). Likewise, there are cases when files are created and removed so fast that the link creation will fail. That said, for most lengthier and non-atomic operations this has been working pretty well

Another important feature is filtering: whereas v1.0 was just grep(1)-able, v2.0 allows you to specify pathname filters (separated by ","), process names or IDs (again, separated by ","), or events (from those supported by FSEvents, of course). This is actually required if you're using the auto-stop (-s) feature, because otherwise you run the risk of filemon firing STOP signals wildly, which might actually stop your own session!

And, of course, color :-) The usual JCOLOR=1, or -c or --color.


Download Latest Version

Here

Examples

  • Basic usage:
  • bash-3.2# ./filemon -h
    Usage: filemon [options]
    Where [options] are optional, and may be any of:
    	-p|--proc  pid/procname:  filter only this process or PID
    	-f|--file  string[,string]:        filter only paths containing this string (/ will catch everything)
    	-e|--event event[,event]: filter only these events
    	-s|--stop:                auto-stop the process generating event
    	-l|--link:                auto-create a hard link to file (prevents deletion by program :-)
    	-c|--color (or set JCOLOR=1 first)
    
  • No arguments - catch everything (just like original version of tool). Filemon will filter itself
  • With color (because it's always nicer in color :-)
  • Auto-link any created file (so it doesn't get removed). This is now automatically done in iOS to /private/var/tmp/filemon, which ensures that A) link survives if entire directory hierarchy is nuked and B) you won't clutter your FS after rebooting.
  • root@iPhone (/var/root)# filemon -l
    Auto-linked /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan to /private/var/tmp/filemon/com.apple.coreduetd.plist.sjW8Xan.filemon.1
       83 cfprefsd	Created        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
       83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
       83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
    Auto-linked /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M to /private/var/tmp/filemon/com.apple.coreduetd.plist.sYNYm6M.filemon.2
       83 cfprefsd	Created        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M	
       83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M	
       83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M	
       83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
       83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
       83 cfprefsd	Modified       /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
       83 cfprefsd	Renamed        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	/private/var/mobile/Library/Preferences/com.apple.coreduetd.plist 
    ^C
    # Note original file is gone, but hard link persists (with link count being 1)
    root@iPhone (/var/root)# ls -l /private/var/tmp/filemon/com.apple.coreduetd.plist.sYNYm6M.filemon.2
    -rw-------  1 mobile  mobile  46045 Jun  6 12:58 /private/var/tmp/filemon/com.apple.coreduetd.plist.sYNYm6M.filemon.2
    
    
  • Auto-stop anyone touching a container:
  • Greets

  • Jason Haddix - http://community.hpe.com/t5/Protect-Your-Assets/Realtime-iOS-Filesystem-Monitoring-Installing-and-Using-filemon/ba-p/5923145#.V1XlWGZbuqA
  • Q & A

  • Is this open source? Yes. The source is in the TAR
  • When's the book coming out?! A book is coming out mid July. Stay tuned.
  • And when is the next training on iOS/OSX internals? August 8th, in SFO - See here. And if you go the training you'll get a free copy of the book, too :-)
  • Requests

  • If you have any features you want to see in this tools (or others), simply tell me through the NewOSXBook Forum.
  • If you want to modify the source - you can. It's open. Personally I'd rather you tell me, and I'd gladly add the change(s) so others can enjoy it. But at any rate - have the decency to leave the links to the website and comments verbatim, rather than dumping it in Github and claiming you wrote it.