Skip to content

/ filewatcher

A simple auditing utility for macOS
auditing macos monitoring malware filesystem security-audit
C C++ Makefile
  1. C 95.4%
  2. C++ 3.7%
  3. Makefile 0.9%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Latest commit

@meliot
meliot Merge pull request #10 from Toranktto/master 
FreeBSD support and bugfixes
Latest commit 7ce4201 Sep 15, 2018

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib FreeBSD support and bugfixes Sep 15, 2018
.gitignore Directory fix Jul 3, 2017
LICENSE.txt First commit Jul 2, 2017
Makefile
README.md New blog Jan 29, 2018
filewatcher.c Updated copyright Mar 15, 2018
screenshot.png New screenshot Jan 30, 2018
slides.pdf

README.md

filewatcher

a simple auditing utility for macOS

Filewatcher is an auditing and monitoring utility for macOS.

It can audit all events from the system auditpipe of macOS and filter them by process or by file You can use this utility to:

  • Monitor access to a file, or a group of files.
  • Monitor activity of a process, and which resources are accessed by that process.
  • Build a small Host-Based IDS by monitoring access or modifications to specific files.
  • Do an dynamic malware analysis by monitoring what the malware is using on the filesystem.

If you want to read more about how it works, check my blog.

Installation

Just run make to compile it and then ./bin/filewatcher.

Usage: ./bin/filewatcher [OPTIONS]
  -f, --file            Set a file to filter
  -p, --process         Set a process name to filter
  -a, --all             Display all events (By default only basic events like open/read/write are displayed)
  -d, --debug           Enable debugging messages to be saved into a file
  -h, --help            Print this help and exit

Expected output:

Output

You can’t perform that action at this time.