ACCESS EVENT COLLECTION

US 20090265780A1
Filed: 04/21/2008
Published: 10/22/2009
Est. Priority Date: 04/21/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of monitoring data accesses in a computer system, comprising the steps of:

concurrently executing a monitor program and a kernel program, said kernel program servicing requests for data accesses in a file system, said file system comprising index nodes that respectively index descriptors of computer files;

detecting in said kernel program a request for access to one of said computer files, said request comprising a full path name of said one of said computer files;

using said monitor program, obtaining said full path name;

using said kernel program, processing said request by determining an identifier of one of said index nodes that corresponds to said one of said computer files and executing said request using said identifier;

while performing said step of processing said request, obtaining said identifier using said monitor program;

using said monitor program memorizing said full path name and said identifier as an entry in a log file; and

accessing said log file for analysis of said requests for data access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

On-line and computationally efficient methods and systems are provided for back resolving path names of files from inode numbers during data access request processing. As a result, a near real-time recording of data access events is achieved, including identification of the user who performed the access, and the full path name of the data object that was accessed. In a typical application, access events are collected for use in access control of storage elements in complex organizational file systems.

110 Citations

View as Search Results

18 Claims

1. A method of monitoring data accesses in a computer system, comprising the steps of:
- concurrently executing a monitor program and a kernel program, said kernel program servicing requests for data accesses in a file system, said file system comprising index nodes that respectively index descriptors of computer files;
  
  detecting in said kernel program a request for access to one of said computer files, said request comprising a full path name of said one of said computer files;
  
  using said monitor program, obtaining said full path name;
  
  using said kernel program, processing said request by determining an identifier of one of said index nodes that corresponds to said one of said computer files and executing said request using said identifier;
  
  while performing said step of processing said request, obtaining said identifier using said monitor program;
  
  using said monitor program memorizing said full path name and said identifier as an entry in a log file; and
  
  accessing said log file for analysis of said requests for data access.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, further comprising the steps of:
    - identifying in said monitor program an originator of said request; and
      
      including an identifier of said originator in said entry in said log file.
  - 3. The method according to claim 2, further comprising the step of responsively to said step of accessing said log file, modifying privileges of said originator to access said file system.
  - 4. The method according to claim 1, further comprising the steps of:
    - accepting a second identifier of one of said index nodes;
      
      establishing that said identifier in said entry matches said second identifier;
      
      responsively to said step of establishing retrieving said full path name from said entry; and
      
      reporting said full path name.
  - 5. The method according to claim 1, wherein said index nodes are inodes.
  - 6. The method according to claim 1, wherein said index nodes are vnodes.

7. A computer software product for monitoring file system data accesses, including a computer storage medium in which computer program instructions are stored, which instructions, when executed by a computer, cause the computer to concurrently execute a monitor program and a kernel program, said kernel program servicing requests for data accesses in a file system, said file system comprising index nodes that respectively index descriptors of computer files, detect in said kernel program a request for access to one of said computer files, said request comprising a full path name of said one of said computer files, using said monitor program, obtain said full path name, using said kernel program, process said request by determining an identifier of one of said index nodes that corresponds to said one of said computer files and executing said request using said identifier, and said instructions further cause said computer to obtain said identifier with said monitor program while processing said request, memorize said full path name and said identifier as an entry in a log file, and access said log file for analysis of said requests for data access.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer software product according to claim 7, wherein said instructions further cause said computer to identify an originator of said request using said monitor program, and include an identifier of said originator in said entry in said log file.
  - 9. The computer software product according to claim 8, wherein said instructions further cause said computer to modify privileges of said originator to access said file system responsively to said entry in said log file,.
  - 10. The computer software product according to claim 7, wherein said instructions further cause said computer to accept a second identifier of one of said index nodes, establish that said identifier in said entry matches said second identifier, retrieve said full path name from said entry, and report said full path name.
  - 11. The computer software product according to claim 7, wherein said index nodes are inodes.
  - 12. The computer software product according to claim 7, wherein said index nodes are vnodes.

13. A data processing system for monitoring file system data accesses, comprising:
- a processor; and
  
  a memory accessible to said processor that stores a monitor program and a kernel program, said processor operative to concurrently execute said monitor program and said kernel program, said kernel program servicing requests for data accesses in a file system, said file system comprising index nodes that respectively index descriptors of computer files, said processor is operative to detect in said kernel program a request for access to one of said computer files, said request comprising a full path name of said one of said computer files, using said monitor program, obtain said full path name, using said kernel program, process said request by determining an identifier of one of said index nodes that corresponds to said one of said computer files and executing said request using said identifier, and said processor is operative to obtain said identifier with said monitor program while processing said request, memorize said full path name and said identifier as an entry in a log file, and access said log file for analysis of said requests for data access.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The data processing system according to claim 13, wherein said processor is operative to identify an originator of said request using said monitor program, and include an identifier of said originator in said entry in said log file.
  - 15. The data processing system according to claim 14,further comprising a display linked to said processor, wherein said processor is operative to output at least a portion of said log file to said display;
    - and responsively to said entry in said log file, modify privileges of said originator to access said file system.
  - 16. The data processing system according to claim 13, wherein said processor is operative to accept a second identifier of one of said index nodes, establish that said identifier in said entry matches said second identifier, retrieve said full path name from said entry, and report said full path name.
  - 17. The data processing system according to claim 13, wherein said index nodes are inodes.
  - 18. The data processing system according to claim 13, wherein said index nodes are vnodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems, Inc.
Inventors
Bass, David, Keysar, Yizhar, Faitelson, Yakov, Korkus, Ohad, Kretzer, Ophir

Application Number

US12/106,466
Publication Number

US 20090265780A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/6281 at program execution time, ...

G06F 2221/2101 Auditing as a secondary aspect

ACCESS EVENT COLLECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

110 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS EVENT COLLECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links