File System Event Tracking
First Claim
Patent Images
1. A file system tracking method, comprising:
- intercepting a file system security change request directed to a target file system object, the target file system object having a current security state, the security change request specifying a final security state;
recording the current security state;
communicating the security change request to a file system;
intercepting an indication that the security change request has been processed by the file system; and
recording the final security state.
27 Assignments
0 Petitions
Accused Products
Abstract
Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event.
32 Citations
44 Claims
-
1. A file system tracking method, comprising:
-
intercepting a file system security change request directed to a target file system object, the target file system object having a current security state, the security change request specifying a final security state; recording the current security state; communicating the security change request to a file system; intercepting an indication that the security change request has been processed by the file system; and recording the final security state. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 41)
-
-
14. A file system tracking method, comprising:
-
identifying a first file system event changing a first file system object'"'"'s name from a first name to a second name; identifying a second file system event changing a second file system object'"'"'s name to the first name; and aggregating the first and second file system events as a single file modification event for the first file system object. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 40)
-
-
23. A file system audit method, comprising:
-
intercepting, by a kernel level application, file system events; recording the intercepted file system events in a kernel memory; retrieving the recorded file system events from kernel memory to a user level memory; identifying, from the retrieved file system events, a first file system event changing a first file system object'"'"'s name from a first name to a second name; identifying, from the retrieved file system events, a second file system event changing a second file system object'"'"'s name to the first name; consolidating the first and second file system events into a third file system event; and recording the third file system event as a file modification event for the first file system object. - View Dependent Claims (24, 25, 26, 27, 28, 29, 42)
-
-
30. A file system audit method, comprising:
-
intercepting, by a kernel level application, file system events; recording the intercepted file system events in a kernel memory; retrieving the recorded file system events from kernel memory to a user level memory; identifying, from the retrieved file system events, a first file system event copying a first file system object from a first location to a second location; identifying, from the retrieved file system events, a second file system event deleting the first file system object from the first location; consolidating the first and second file system events into a third file system event; and recording the third file system event as a file move event for the first file system object. - View Dependent Claims (31, 32, 43)
-
-
33. A file system tracking method, comprising:
-
identifying a first file system event opening a first file system object; identifying a second file system event creating a second file system object; detecting one or more read operations directed to the first file system object into a specified memory; detecting one or more file system write operations to the second file system object from the specified memory; and consolidating the first file system event, the second file system event, the one or more file system read operations and the one or more file system write operations into a single file modification event. - View Dependent Claims (34, 35, 36, 37, 38, 39, 44)
-
Specification