-
Notifications
You must be signed in to change notification settings - Fork 76
Limiting filesystem provenance collection on macOS
It may be preferable to only collect provenance about a limited part of the filesystem (that a target application is using, for example). Additionally, collecting fine-grained provenance, including I/O time, can impose significant overhead when done across the entire operating system. This reporter allows provenance collection to be limited to a subtree of the filesystem (which is /tmp/mountPoint in the example below).
The MacFUSE reporter is built automatically with make in the top-level SPADE directory.
To use this reporter, the argument must specify the path where the FUSE filesystem will be mounted:
-> add reporter MacFUSE /tmp/mountPoint
Adding reporter MacFUSE... done
Provided that no file or directory already exists at /tmp/mountPoint, the above command will mount the FUSE filesystem at /tmp/mountPoint. Any filesystem events that occur in this subtree will be monitored by SPADE and their provenance recorded. Information about the processes that generate the filesystem activity will also be collected and reported.
This material is based upon work supported by the National Science Foundation under Grants OCI-0722068, IIS-1116414, and ACI-1547467. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
- Setting up SPADE
- Storing provenance
-
Collecting provenance
- Across the operating system
- Limiting collection to a part of the filesystem
- From an external application
- With compile-time instrumentation
- Using the reporting API
- Of transactions in the Bitcoin blockchain
- Filtering provenance
- Viewing provenance
-
Querying SPADE
- Illustrative example
- Transforming query responses
- Protecting query responses
- Miscellaneous