METHOD FOR REDUCING THE TIME TO DIAGNOSE THE CAUSE OF UNEXPECTED CHANGES TO SYSTEM FILES

US 20090094676A1
Filed: 10/09/2007
Published: 04/09/2009
Est. Priority Date: 10/09/2007
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring access to a file within a file system in a computer, the method comprising steps of:

monitoring a plurality of requests for access to files;

intercepting the requests;

analyzing metadata associated with the file;

if the metadata comprises a directive entry;

identifying information about any application requesting access to the file, including a sequence of function calls that preceded the file access request; and

logging the information to generate an audit trail of the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for monitoring access to a file within a file system includes steps or acts of: monitoring a plurality of requests for access to files; intercepting the requests; and analyzing metadata located in the file. If the metadata includes a directive entry, the method includes these additional steps: identifying information about any application requesting access to the file, including a sequence of function calls that preceded the file access request; and logging the information to generate an action trail of the application. A mechanism for monitoring file access includes the following: a file system configured for monitoring accesses to any file residing within it; an access control mechanism which can execute pre-defined actions when an unauthorized file access occurs; and a tool to specify the list of files to be monitored.

44 Citations

View as Search Results

20 Claims

1. A method for monitoring access to a file within a file system in a computer, the method comprising steps of:
- monitoring a plurality of requests for access to files;
  
  intercepting the requests;
  
  analyzing metadata associated with the file;
  
  if the metadata comprises a directive entry;
  
  identifying information about any application requesting access to the file, including a sequence of function calls that preceded the file access request; and
  
  logging the information to generate an audit trail of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the identifying step comprises:
    - walking through a chain of stack frames starting from a current stack frame;
      
      noting a return address for each stack frame; and
      
      identifying functions in a call chain based on the return address.
  - 3. The method of claim 1 wherein logging the information comprises:
    - obtaining a stack trace of the application'"'"'s thread; and
      
      recording a log entry into a system log, the log entry comprising a stack trace, command name, user name, and other related information of the application accessing the file.
  - 4. The method of claim 1 further comprising a step of:
    - informing the file system that file access has to be monitored and recorded.
  - 5. The method of claim 3 wherein the directive entry comprises a directive to the file system to record the log entry whenever a specific access is requested on the file.
  - 6. The method of claim 1 further comprising a step of:
    - informing a system administrator that an undesirable file access or change has occurred.
  - 7. The method of claim 1 further comprising a step of:
    - inserting the directive entry into the access control list of the file.
  - 8. The method of claim 7 wherein the inserting step comprises:
    - using a command line tool to invoke a system call to insert the directive entry.
  - 9. The method of claim 8, comprising steps of:
    - identifying an exact file system containing the file;
      
      invoking that file system'"'"'s set-acl operation to add a new directive entry;
      
      verifying that a user has permission to modify the access control list; and
      
      inserting the directive entry.
  - 10. The method of claim 1 further comprising:
    - inserting the directive entry into a kernel logical file system component.

11. A mechanism for monitoring file access, the mechanism comprising:
- a file system operable for monitoring accesses to any file residing within the file system;
  
  an access control mechanism configured for executing pre-defined actions when an unauthorized file access occurs; and
  
  a tool to specify a list of the files to be monitored.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The mechanism of claim 11 wherein the file system supports the monitoring of the file accesses, or permission changes to any given file in the file system.
  - 13. The mechanism of claim 11 wherein the file system supports dynamic changes of the list of the files to be monitored.
  - 14. The mechanism of claim 11 wherein the access control mechanism can take the following actions when a monitored file is being accessed, modified, or when the file permission is being changed:
    - trace the execution stack of the thread that is trying to access, modify, or change permission of the file; and
      
      record a log entry into system log with the “
      
      stack trace” and
      
      other related information of the program accessing the file.
  - 15. The mechanism of claim 11 wherein said tool contains a method to inform the file system that a file access has to be monitored and recorded.
  - 16. The mechanism of claim 11 wherein said tool contains a method to inform the system administrator that an undesirable file access or change has occurred.

17. A computer program product embodied on a computer readable medium and comprising code that, when executed, causes a computer to perform the following:
- monitor a plurality of requests for access to files;
  
  intercept the requests;
  
  analyze metadata associated with the file;
  
  if the metadata comprises a directive entry;
  
  identify information about any application requesting access to the file, including a sequence of function calls that preceded the file access request; and
  
  log the information to generate an action trail of the application.
- View Dependent Claims (18, 19)
- - 18. The computer program product of claim 17, wherein the code further causes a computer to:
    - insert the directive entry into the access control list of the file.
  - 19. The computer program product of claim 17, wherein the code further causes a computer to:
    - insert the directive entry into a kernel logical file system component.

20. A system for obtaining services comprising:
- a mechanism for monitoring file access, the mechanism comprising;
  
  a file system which can monitor accesses to any file residing within it;
  
  an access control mechanism which can take pre-defined actions when an unauthorized file access occurs; and
  
  a tool to specify the list of files to be monitored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Burugula, Ramanjaneya Sarma, Jann, Joefon, Pattnaik, Pratap Chandra

Granted Patent

US 8,621,605 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/554 involving event detection a...

METHOD FOR REDUCING THE TIME TO DIAGNOSE THE CAUSE OF UNEXPECTED CHANGES TO SYSTEM FILES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR REDUCING THE TIME TO DIAGNOSE THE CAUSE OF UNEXPECTED CHANGES TO SYSTEM FILES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links