The File Attribute Monitor configuration file is a simple text file. This section describes the contents of the configuration file.
Comments have no effect of the behaviour of File Attribute Monitor.
There are three forms of comments:
The configuration file must contain one or more file selection rules. These rules determine the set of files and attributes to be monitored. Each rule contains a regular expression which is matched against the full paths of the files on the system. If the regular expression matches the path, then the rule applies to the file.
There are three types of selection rules:
For a given path, there may be more than one rule with a regular expression which matches the path, but only one of these rules determines the action taken with the file. This rule is called the effective rule. If more than one rule matches a path, the effective rule is determine by the following rules of precedence:
These rules are illustrated in the Examples section which follows.
Include rules begin with the character '+', followed by a regular expression matching the paths of the files to be included, and ending with an expression defining the set of attributes to be monitored.
Example 1-5. Include rules
# # The following rule includes all files on the system with the # attributes in attribute group R. # +/ R # # The following rule includes all files on the system with the # attributes in attribute group R and with the sha1 checksum. # +/ R+sha1 # # The following rule includes all files on the system with the # attributes in attribute group R except for the md5 checksum # +/ R-md5 # # The following rule includes all files in directory /etc # with the attributes user, group and permissions # +/etc u+g+p # # The following rule includes all files in directory /var # with extension ".dat" # +/var/.*\.dat R # # The following rule includes the directory /tmp, but not its contents # For example, the path "/tmp/xxx" does not match this expression. # +/tmp$ u+g+p # # One can get carried away with regular expressions # +/opt/(foo|bar|baz)*/bin/[^X].*\.bbb R |
Exclude rules begin with the character '-', followed by a regular expression matching the paths of files to be excluded.
In principle, there is no need for exclude rules. One can always write the regular expressions in the include rules to include only the files one wants. Practically, it may be much easier to write simple include rules which include too much, then add some simple exclude rules to exclude a few of the files which would otherwise be included.
Ignore rules begin with the character '!', followed by a regular expression matching the paths of the files to be ignored.
Ignore rules are like exclude rules except that they have higher precedence. It is possible to include files that match an exclude rule by writing an include rule which matches a longer prefix of the path, but files with paths matched by the regular expressions of ignore rules are always ignored.
Depending on the set of rules in the configuration file, fattmon may have to traverse large directory trees to check for possible matches with include rules, but if a directory matches an ignore rule, it knows not to bother inspecting the contents of that directory. This can save time and avoid problems in directories where access to files and directories can have undesired side effects. For example, the /proc directory might be a good one to ignore.
Example 1-7. Ignore rules
# # The following rule includes all files ending in ".baz" # This sort of rule makes fattmon open every directory # on the system to find out if there is a file with # the extention ".baz" in it. # +/.*\.baz R # # The following rule ignores the /proc directory # Despite the above rule, fattmon will not open the /proc directory # or any of its subdirectories # !/proc |