File system event tracking

US 8,640,232 B2
Filed: 11/06/2012
Issued: 01/28/2014
Est. Priority Date: 09/26/2006
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium comprising instructions stored thereon to cause one or more processors to:

intercept a plurality of file system security change requests directed to a target file system object, each file system security change request having a corresponding current security state and a corresponding final security state;

wherein the plurality of file system security change requests are intercepted in a sequential order;

record each said current security state in the order in which it was intercepted;

communicate the plurality of file system security change requests to a file system;

intercept an indication that the plurality of file system security change requests have been processed by the file system;

record each said final security state;

aggregate each said recorded current security state and each said recorded final security state;

identify an event based, at least in part, on the aggregation; and

store an indication of the identified event.

View all claims

25 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event.

21 Citations

View as Search Results

18 Claims

1. A non-transitory computer readable medium comprising instructions stored thereon to cause one or more processors to:
- intercept a plurality of file system security change requests directed to a target file system object, each file system security change request having a corresponding current security state and a corresponding final security state;
  
  wherein the plurality of file system security change requests are intercepted in a sequential order;
  
  record each said current security state in the order in which it was intercepted;
  
  communicate the plurality of file system security change requests to a file system;
  
  intercept an indication that the plurality of file system security change requests have been processed by the file system;
  
  record each said final security state;
  
  aggregate each said recorded current security state and each said recorded final security state;
  
  identify an event based, at least in part, on the aggregation; and
  
  store an indication of the identified event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The non-transitory computer readable medium of claim 1, wherein the file system security change request comprises a type of security change request that has been specified to be tracked.
  - 3. The non-transitory computer readable medium of claim 1, further comprising instructions to cause the one or more processors to:
    - determine an inherited security change to a hierarchically related object of the target file system object;
      
      intercept an indication that the inherited security change has been processed by the file system; and
      
      record a final security state of the hierarchically related object.
  - 4. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to intercept the plurality of file system security change requests are performed by a kernel-level application.
  - 5. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to record each said final security state comprise instructions to cause the one or more processors to record, for each file system security change request, a single datum from which both the current security state and the final security state may be derived.
  - 6. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to record each said current security state comprise instructions to cause the one or more processors to store each said current security state and an identifier identifying the target file system object in a kernel memory.
  - 7. The non-transitory computer readable medium of claim 6, wherein the instructions to cause the one or more processors to record each said final security state comprise instructions to cause the one or more processors to associate, for each file system security change request, the final security state with the current security state in the kernel memory.
  - 8. The non-transitory computer readable medium of claim 7, further comprising instructions to cause the one or more processors, for at least one file system security change request of the plurality of file system security change requests, to:
    - retrieve the current security state, the final security state, and the identifier identifying the target file system object from the kernel memory; and
      
      store the current security state, the final security state, and the identifier identifying the target file system object in a database.
  - 9. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to record each said current security state and each said final security state further comprise instructions to cause the one or more processors, for each file system security change request of the plurality of file system security change requests, to record a user account identifier associated with the file system security change request.
  - 10. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to record each said current security state and each said final security state further comprise instructions, for each file system security change request of the plurality of file system security change requests, to cause the one or more processors to record a process identifier associated with the file system security change request.
  - 11. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to record each said current security state and each said final security state further comprise instructions to cause the one or more processors to record a computer system identifier on which the target file system object is stored.
  - 12. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to record each said current security state and each said final security state further comprise instructions to cause the one or more processors to record a path associated with the target file system object.
  - 13. The non-transitory computer readable medium of claim 1, wherein the indication comprises an aggregated initial security state and an aggregated final security state.
  - 14. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the one or more processors to record each said current security state comprise instructions to cause the one or more processors to record each said current security state in an operating system level memory.
  - 15. The non-transitory computer readable medium of claim 14, wherein the instructions to cause the one or more processors to record each said final security state comprise instructions to cause the one or more processors to record each said final security state in the operating system level memory.

16. An electronic system, comprising:
- a memory;
  
  an input-output device coupled to the memory; and
  
  a programmable control device communicatively coupled to the memory and the input-output device, the programmable control device adapted to execute instructions stored in the memory to;
  
  identify a file system object based, at least in part, on an input from the input-output device,intercept a plurality of file system security change requests directed to the file system object, each file system security change request having a corresponding current security state and a corresponding final security state, the plurality of file system security change requests being intercepted in a sequential order,record each said current security state,communicate the plurality of file system security change requests to a file system,intercept an indication that the plurality of file system security change requests have been processed by the file system,record each said final security state,aggregate each said recorded current security state and each said recorded final security state,identify an event based, at least in part, on the aggregation, andstore an indication of the identified event.
- View Dependent Claims (17, 18)
- - 17. The electronic system of claim 16 wherein the memory further comprises instructions to cause the programmable control device to store each said current security state and each said final security state to a non-transitory long-term memory.
  - 18. The electronic system of claim 17 wherein the instructions to cause the programmable control device to store each said current security state and each said final security state in the non-transitory long-term memory further comprise instructions to cause the programmable control device to store, in the non-transitory long-term memory, for each file system security change request of the plurality of file system security change requests, one or more of:
    - a user account identifier associated with the file system security change request, a computer system identifier associated with the file system security change request, and a process identifier associated with the file system security change request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Small, Brian Thomas
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/670,282
Publication Number

US 20130055392A1
Time in Patent Office

448 Days
Field of Search

726/22, 713/165
US Class Current

726/22
CPC Class Codes

G06F 11/3476 Data logging G06F11/14, G06...

G06F 2201/86 Event-based monitoring

File system event tracking

First Claim

25 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

File system event tracking

First Claim

25 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links