LinuxQuestions.org - Wrapping char device monitor

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - Wrapping char device monitor (https://www.linuxquestions.org/questions/programming-9/wrapping-char-device-monitor-4175734854/)

Linux_Kidd

03-13-2024 12:55 AM

Wrapping char device monitor

I am working on a kind of forensic shim, another layer in file integrity monitoring.

Looking for a way to wrap or monitor a /dev/device character file for writes and logging what's being written to it.

As example, I have a system that has a loaded .ko that will write data to /dev/device special char file. I want to capture all the writes to the device.

Suggestions?

astrogeek

03-18-2024 01:23 AM

I suppose one person's forensic shim is another person's keylogger.

Perhaps that is why the question has not attracted any replies.

Linux_Kidd

03-19-2024 01:43 PM

I guess in those terms, there does exist legit "keylogging", but in my case it's a .ko loaded in that writes data obtained from probing some SoC gpio pins to a char device. Not everything has bad-actor intent.

dugan

03-22-2024 04:10 PM

I was going to suggest Inotify, but couldn’t you just “”cat” or “tail” the device?

All times are GMT -5. The time now is 07:38 PM.