Become a fan of Slashdot on Facebook


Forgot your password?
OS X Businesses Operating Systems Apple

Watching Under The Hood Of Tiger's Spotlight 43

jaketheitguy writes "Over at, Amit Singh has released a commandline app called FSLogger for looking under the hood of Tiger's Spotlight. You can watch all kinds of filesystem changes going on in realtime. The utility apparently intercepts and displays filesystem change data as it goes out to Spotlight from the kernel. It even tells you which app is making the changes. Looks like Apple has included some pretty powerful API's in Tiger and there may be some othre really interesting uses of this API as mentioned on the app's page. I for one would really like to be able to tell if somebody changed ANY files on my system without my knowledge. I think you can do that with Singh's program, but how do you make sure somebody cannot disable the program?"
This discussion has been archived. No new comments can be posted.

Watching Under The Hood Of Tiger's Spotlight

Comments Filter:
  • Two in a row? (Score:1, Offtopic)

    by jack_call ( 742032 ) *
    Although it's two different areas, isn't two articles on spotlight a little extreme?
    Come on Hemos, lets have a hattrick :-)

    and oh... I for one welcome our new Spotlight overlords
    • by Anonymous Coward
      First there always has been a program called /usr/bin/fs_usage which monitors file system access. Second is the story writer worried about someone altering his files or about spotlight. How spotlight functions has been the subject of many detailed articles. Any time you change a file, spotlight calls the appropriate indexing program and collects and stores the metadata. It is not going to alter the data fork of your document but the data has to get stored somewhere. So relax. this story is paranoid de
  • by duffbeer703 ( 177751 ) on Monday May 23, 2005 @08:18AM (#12610935)
    I used to be a lonely nerd, but thanks to Spotlight I can:

    - Run Faster
    - Jump Higher
    - Score with the chicks
    - Regrow lost hair!
    • Disclaimer: If any of these conditions persist for more than four hours, seek medical attention immediately.
    • Ask you doctor if "Spotlight" may be right for you!

      Possible side effects may include but are not limited to data loss, computer malfunction, loss of electricity, rugburn, high phone bills, cataracts, auto repossession, and in rare cases death and/or dismemberment and eternal damnation. Use only as directed.
  • It seems that the Spotlight is in the spotlight. Contrary to what I said [] before, the AC might have been right about Spotlight being overhyped in the extremes. It is overhyped to the max.
  • Recursion (Score:2, Funny)

    by dangitman ( 862676 )
    Amit Singh has released a commandline app called FSLogger for looking under the hood of Tiger's Spotlight. You can watch all kinds of filesystem changes going on in realtime.

    So, this application would shine a spotlight on Spotlight? Is that anything like when you point a video camera at a monitor hooked up to the camera's output?

  • This has a lot of potential in the server market. Imagine an IDS that monitors certain files for changes and notifies the sysadmin immediately whenever a static file is updated. The system could have scheduled periods for upgrades, during which it doesn't send a thousand warnings to you, but other than that, it could monitor all disk activity at a low level without being subverted by e.g. changing the IDS's file hashes before it does its next check.

    Interesting idea.
    • Tripwire (Score:3, Informative)

      by @madeus ( 24818 )
      Actually you can get this functionality already in a long standing Unix utility called Tripwire. [] []

      There is even a Mac OS X version now it seems: []

      Of course you'd probably then want an OS that implements some form of relevant Mandatory Access Control / POSIX.1e (e.g. LIDS for Linux, Trusted Solaris, or Argus Pitbull (Linux/Solaris)) to help prevent the intruder from interfering with Tripwire i
      • Re:Tripwire (Score:3, Informative)

        by womby ( 30405 )
        I am going to assume you didn't read the article and provide a small description of what fslogger is doing and how it has nothing in common with tripwire.

        Fslogger runs continuously and registers itself with the kernel, when a filesystem change event happens details about it are announced to all registered apps and fslogger displays the information it receives in a useful (if verbose) manner.

        Tripwire is a fantastically useful app which I run on every one of the servers I admin, and perhaps the OSX version
      • I didn't notice that you was replying to somebody who suggested creating tripwire, I thought you had posted a comment specifically about flogger.

        Sorry if it the reply came across as harsh.
        • Hehe, easily done. :)

          I think the idea of having Tripwire hooks so that it's automatically informed of changes real time when on Mac OS X is certainly interesting and I'd think eminently doable.

          I think true real time updates may actually have been a feature of a commercial implimentation (for Solaris), but that would be going back 7-8 years ago now, so I'm not certain (it could have been just a daemon that periodically checked for changes, or I may have remembered wrongly).

          PS: I hadn't heard the name 'fsl
    • Tripwire (Score:2, Informative)

      by mithran8 ( 186371 )
      You may be shocked to know how often files change on your system... without a good policy defining the scope of your monitoring, you're asking for a world of hurt. As @madeus mentions, there is an OS X build of Tripwire which gives you a good deal of this functionality. Two caveats, however:

      - Tripwire is not a real-time service, it's scheduled to run at specific (user-defined) times.

      - Tripwire does not prevent anyone from making changes - it merely ensures that any changes to the OS are recorded and mad
  • ... when you need him?

    He was very vocal about this sort of thing, and now he's gone very quiet. Almost as if he was an Apple employee who was given The Warning (tm) or... (obligatory Star Wars reference being used in shameless Karma whoring) ... as if a million of his posts were made, and then suddenly silenced. Hmm...

    When I get some time, I'll read the article (thus breaking a long-running streak for me) and compare to ASoT's statements.
  • by Simon Spero ( 10945 ) on Monday May 23, 2005 @12:03PM (#12612701)
    There's a system call that lets user-space programs subscribe to a lot of interesting kernel level events.

    Take a look at the kqueue(2) man page.

    There are more details available at f []

    • Yeh, when I heard about this I assumed that Apple would use kqueue and watch changes in the vnodes. It would require some extension to kqueue, because there's no "EVFILT_FS" or "EVFILT_VOP" filter that would monitor VOPs on more than a single file. But they needed to extend HFS+, too, so that's not really a big deal. You do have to be careful with this, because trying to monitor VOP_WRITE would be like drinking from a firehose... but you wouldn't actually need to track file content changes that closely for
  • "how do you make sure somebody cannot disable the program?"

    You can't, not withint guarenteeing physical security to the box.

    If someone can pull your hard disk OR boot with their own media, all is lost.

    Short of that, your question amounts to "how do I keep from getting rootkitted."

"And remember: Evil will always prevail, because Good is dumb." -- Spaceballs