Watching Under The Hood Of Tiger's Spotlight

jaketheitguy writes "Over at KernelThread.com, Amit Singh has released a commandline app called FSLogger for looking under the hood of Tiger's Spotlight. You can watch all kinds of filesystem changes going on in realtime. The utility apparently intercepts and displays filesystem change data as it goes out to Spotlight from the kernel. It even tells you which app is making the changes. Looks like Apple has included some pretty powerful API's in Tiger and there may be some othre really interesting uses of this API as mentioned on the app's page. I for one would really like to be able to tell if somebody changed ANY files on my system without my knowledge. I think you can do that with Singh's program, but how do you make sure somebody cannot disable the program?"

Two in a row?

Although it's two different areas, isn't two articles on spotlight a little extreme?
Come on Hemos, lets have a hattrick :-)

and oh... I for one welcome our new Spotlight overlords

Spotlight changed my life.

I used to be a lonely nerd, but thanks to Spotlight I can:

- Run Faster
- Jump Higher
- Score with the chicks
- Regrow lost hair!

Two stories in 20 minutes?

It seems that the Spotlight is in the spotlight. Contrary to what I said [slashdot.org] before, the AC might have been right about Spotlight being overhyped in the extremes. It is overhyped to the max.

Recursion

Amit Singh has released a commandline app called FSLogger for looking under the hood of Tiger's Spotlight. You can watch all kinds of filesystem changes going on in realtime.

So, this application would shine a spotlight on Spotlight? Is that anything like when you point a video camera at a monitor hooked up to the camera's output?

IDS Potential

This has a lot of potential in the server market. Imagine an IDS that monitors certain files for changes and notifies the sysadmin immediately whenever a static file is updated. The system could have scheduled periods for upgrades, during which it doesn't send a thousand warnings to you, but other than that, it could monitor all disk activity at a low level without being subverted by e.g. changing the IDS's file hashes before it does its next check.

Interesting idea.

Where's "As Seen on TV" ...

... when you need him?

He was very vocal about this sort of thing, and now he's gone very quiet. Almost as if he was an Apple employee who was given The Warning (tm) or... (obligatory Star Wars reference being used in shameless Karma whoring) ... as if a million of his posts were made, and then suddenly silenced. Hmm...

When I get some time, I'll read the article (thus breaking a long-running streak for me) and compare to ASoT's statements.

Tracking changes to the file system

There's a system call that lets user-space programs subscribe to a lot of interesting kernel level events.

Take a look at the kqueue(2) man page.

There are more details available at http://people.freebsd.org/~jlemon/papers/kqueue.pd f [freebsd.org]

Physical security essential

"how do you make sure somebody cannot disable the program?"

You can't, not withint guarenteeing physical security to the box.

If someone can pull your hard disk OR boot with their own media, all is lost.

Short of that, your question amounts to "how do I keep from getting rootkitted."

Re:Just use fs_usage

On a side note this kind of thing is (though i cant check exactly im just going from the info i have on what spotlight does cause Well. I dont have a mac :P ) also available for windows machines through programs available at www.sysinternals.com

These guys are utter LORDS of the nt OS by any definiton. ( read their "About us" section and see just how A class it is. A Microsoft Most Valued Proffesional no less )

Anyway. There are filesystem access and notification tools around for nearly any os and its good to see OS X realy making a push with them instead of the way theyer usualy swept under the rug in most OSes publicity stuff (not that many oses have publicity to speak of lol )