ebpf-file-monitor is a slick Rust program that keeps an eagle-eye on your files and alerts you the moment changes occur!
- Uses cutting-edge eBPF technology to trace file events
- Prints out a timestamp the instant your file is modified
- Works smoothly across Linux, Windows and MacOS
- Rust 1.56+ (get the latest and greatest)
- Cargo (Rust's sweet package manager)
- Any mainstream OS - Linux, Windows or MacOS
- libbpf and bcc libraries (eBPF's dynamic duo)
# Clone this puppy
git clone https://github.com/mranv/ebpf-file-monitor.git
# Hop into the directory
cd ebpf-file-monitor
# Install bcc and libbpf if needed
# For Fedora/RedHat:
sudo yum install bcc bpf
# For Debian/Ubuntu:
sudo apt-get install libbpf-dev libbcc-dev
# Build
cargo build --releaseUpdate the FILE_PATH to the file you want to keep an eye on.
Let this watchdog loose:
./target/release/ebpf-file-monitor
Now it'll print a timestamp immediately when that file changes.
So you can catch co-workers messing with your stuff! Or track edits on your top secret novel.
- Uses libbpf to load sneaky eBPF programs that trace
openandwritesyscalls. - Filters for events on your target file.
- When a modify event occurs, bam! prints the timestamp.
- eBPF + bcc = smooth cross-platform action.
- Watches only one file at a time.
- Needs eBPF/bcc libraries installed.
Ideas to improve this little watchdog are welcome! Woof woof!