filemon - An FSEvents client

File Monitor (filemon) is another one of the freeware utilities I wrote as an example of using FSEvents directly for my book. The original example was really simple, and buggy at times - but nonetheless useful, as it allowed tracking filesystem activity in OS X - and (more importantly) iOS. I've fixed the bugs along the way, and now - with MOXiI's 2nd Edition around the corner - it's time to do a version 2.0 of this one.

What's new

File Monitor 2.0 can not just log events, but also respond to them. There are two new actions which may be taken by the tool automatically on a matching event:

stop: Send the process generating the event a SIGSTOP, so you can "freeze" it, and then attach a debugger , etc.
link: auto-create a hard-link to the file being created. This will prevent the file from being deleted (unlinked), because an inode is retained so long as it has at least one link. You are responsible for rming that link.

Note that both actions aren't guaranteed, because there is a latency in FSEvents. Blame XNU, not me. So there are cases where by the time the process has been stopped it may have already snuck a few more operations (or, in some cases, exited). Likewise, there are cases when files are created and removed so fast that the link creation will fail. That said, for most lengthier and non-atomic operations this has been working pretty well

Another important feature is filtering: whereas v1.0 was just grep(1)-able, v2.0 allows you to specify pathname filters (separated by ","), process names or IDs (again, separated by ","), or events (from those supported by FSEvents, of course). This is actually required if you're using the auto-stop (-s) feature, because otherwise you run the risk of filemon firing STOP signals wildly, which might actually stop your own session!

And, of course, color :-) The usual JCOLOR=1, or -c or --color.

Download Latest Version

Here

Examples

Basic usage:

bash-3.2# ./filemon -h
Usage: filemon [options]
Where [options] are optional, and may be any of:
	-p|--proc  pid/procname:  filter only this process or PID
	-f|--file  string[,string]:        filter only paths containing this string (/ will catch everything)
	-e|--event event[,event]: filter only these events
	-s|--stop:                auto-stop the process generating event
	-l|--link:                auto-create a hard link to file (prevents deletion by program :-)
	-c|--color (or set JCOLOR=1 first)

No arguments - catch everything (just like original version of tool). Filemon will filter itself

With color (because it's always nicer in color :-)

Auto-link any created file (so it doesn't get removed). This is now automatically done in iOS to /private/var/tmp/filemon, which ensures that A) link survives if entire directory hierarchy is nuked and B) you won't clutter your FS after rebooting.

root@iPhone (/var/root)# filemon -l
Auto-linked /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan to /private/var/tmp/filemon/com.apple.coreduetd.plist.sjW8Xan.filemon.1
   83 cfprefsd	Created        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
   83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
   83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
Auto-linked /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M to /private/var/tmp/filemon/com.apple.coreduetd.plist.sYNYm6M.filemon.2
   83 cfprefsd	Created        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M	
   83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M	
   83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sYNYm6M	
   83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
   83 cfprefsd	Chowned        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
   83 cfprefsd	Modified       /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	
   83 cfprefsd	Renamed        /private/var/mobile/Library/Preferences/com.apple.coreduetd.plist.sjW8Xan	/private/var/mobile/Library/Preferences/com.apple.coreduetd.plist 
^C
# Note original file is gone, but hard link persists (with link count being 1)
root@iPhone (/var/root)# ls -l /private/var/tmp/filemon/com.apple.coreduetd.plist.sYNYm6M.filemon.2
-rw-------  1 mobile  mobile  46045 Jun  6 12:58 /private/var/tmp/filemon/com.apple.coreduetd.plist.sYNYm6M.filemon.2

Auto-stop anyone touching a container:

Greets

Jason Haddix - http://community.hpe.com/t5/Protect-Your-Assets/Realtime-iOS-Filesystem-Monitoring-Installing-and-Using-filemon/ba-p/5923145#.V1XlWGZbuqA

Q & A

Is this open source? Yes. The source is in the TAR

When's the book coming out?! A book is coming out mid July. Stay tuned.

And when is the next training on iOS/OSX internals? August 8^th, in SFO - See here. And if you go the training you'll get a free copy of the book, too :-)

Requests

If you have any features you want to see in this tools (or others), simply tell me through the NewOSXBook Forum.

If you want to modify the source - you can. It's open. Personally I'd rather you tell me, and I'd gladly add the change(s) so others can enjoy it. But at any rate - have the decency to leave the links to the website and comments verbatim, rather than dumping it in Github and claiming you wrote it.