Limiting filesystem provenance collection on Linux

Ashish Gehani edited this page Jul 27, 2015 · 3 revisions

It may be preferable to only collect provenance about a limited part of the filesystem (that a target application is using, for example). Additionally, collecting fine-grained provenance, including I/O time, can impose significant overhead when done across the entire operating system. This reporter allows provenance collection to be limited to a subtree of the filesystem (which is /tmp/mountPoint in the example below).


yum install fuse fuse-devel fuse-libs

The LinuxFUSE reporter is built automatically with make in the top-level SPADE directory. Before this reporter can be used, the option user_allow_other must be enabled in the file /etc/fuse.conf.

To use this reporter, the argument must specify the path where the FUSE filesystem will be mounted:

-> add reporter LinuxFUSE /tmp/mountPoint
Adding reporter LinuxFUSE... done

Provided that no file or directory already exists at /tmp/mountPoint, the above line will mount the FUSE filesystem at /tmp/mountPoint. Any filesystem events that occur in this subtree will be monitored by SPADE and their provenance recorded. Information about the processes that generate the filesystem activity will also be collected and reported.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.