Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Limiting filesystem provenance collection on Linux
It may be preferable to only collect provenance about a limited part of the filesystem (that a target application is using, for example). Additionally, collecting fine-grained provenance, including I/O time, can impose significant overhead when done across the entire operating system. This reporter allows provenance collection to be limited to a subtree of the filesystem (which is
/tmp/mountPoint in the example below).
- FUSE (http://fuse.sourceforge.net/)
- On Fedora, FUSE can be installed by issuing the following command:
yum install fuse fuse-devel fuse-libs
The LinuxFUSE reporter is built automatically with
make in the top-level SPADE directory. Before this reporter can be used, the option user_allow_other must be enabled in the file
To use this reporter, the argument must specify the path where the FUSE filesystem will be mounted:
-> add reporter LinuxFUSE /tmp/mountPoint Adding reporter LinuxFUSE... done
Provided that no file or directory already exists at
/tmp/mountPoint, the above line will mount the FUSE filesystem at
/tmp/mountPoint. Any filesystem events that occur in this subtree will be monitored by SPADE and their provenance recorded. Information about the processes that generate the filesystem activity will also be collected and reported.