File system monitoring is a crucial aspect of system administration and security. It allows administrators to track changes to files and directories, which can help in identifying unauthorized access, data breaches, and system performance issues. On macOS, file system monitoring can be performed using various built-in tools and utilities. This article will introduce you to some of these tools and provide practical examples of how to use them for effective file system monitoring.

Examples:

Using fs_usage to Monitor File System Activity

fs_usage is a command-line tool that provides real-time monitoring of file system activity. It displays information about system calls and page faults related to file system operations.

Example 1: Monitoring All File System Activity

To monitor all file system activity, open the Terminal and run the following command:

sudo fs_usage

This command will display a continuous stream of file system activity, including reads, writes, and other operations.

Example 2: Filtering by Process

To monitor file system activity for a specific process, use the -w flag followed by the process name:

sudo fs_usage -w Safari

This command will show file system activity related to the Safari browser.

Using auditd for Detailed File System Auditing

auditd is the audit daemon responsible for writing audit records to the audit log. It can be configured to monitor specific files and directories.

Example 3: Configuring auditd to Monitor a Directory

1. Open the audit rules file in a text editor:

   sudo nano /etc/security/audit_control

2. Add a new rule to monitor a directory, for example, /Users/Shared:

   dir:/Users/Shared

3. Save the file and restart the audit daemon:

   sudo audit -s

Using fswatch for Real-Time File System Monitoring

fswatch is a third-party utility that monitors file system changes and can be installed via Homebrew.

Example 4: Installing fswatch

First, install Homebrew if you haven't already:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Then, install fswatch:

brew install fswatch

Example 5: Monitoring a Directory with fswatch

To monitor changes in the /Users/Shared directory, run:

fswatch /Users/Shared

This command will display a list of changes as they occur in the specified directory.