Skip to content

Limiting filesystem provenance collection on Linux

Jump to bottom
Ashish Gehani edited this page Jul 27, 2015 · 3 revisions

It may be preferable to only collect provenance about a limited part of the filesystem (that a target application is using, for example). Additionally, collecting fine-grained provenance, including I/O time, can impose significant overhead when done across the entire operating system. This reporter allows provenance collection to be limited to a subtree of the filesystem (which is /tmp/mountPoint in the example below).

Requirements:

yum install fuse fuse-devel fuse-libs

The LinuxFUSE reporter is built automatically with make in the top-level SPADE directory. Before this reporter can be used, the option user_allow_other must be enabled in the file /etc/fuse.conf.

To use this reporter, the argument must specify the path where the FUSE filesystem will be mounted:

-> add reporter LinuxFUSE /tmp/mountPoint
Adding reporter LinuxFUSE... done

Provided that no file or directory already exists at /tmp/mountPoint, the above line will mount the FUSE filesystem at /tmp/mountPoint. Any filesystem events that occur in this subtree will be monitored by SPADE and their provenance recorded. Information about the processes that generate the filesystem activity will also be collected and reported.

This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Clone this wiki locally