With recently launch of ClamAV 0.99 with support for fanotify, I started some search about it.
The fanotify (http://man7.org/linux/man-pages/man7/fanotify.7.html) is another monitoring filesystem events API like the inotify but with some advantages:
- It can recursively monitor the entire mount tree without having to mark each file/directory.
- It can make access permission decisions, and the possibility to read or modify files before access by other applications, blocking suspicious from being read/executed from other process before the scan finishes.
- It can take the PID of currently process that are opening/reading/writing a file, so you can easy send some signal to it.
But it's different from inotify the fanotify have some restrictions:
- It don't monitor create, delete, and move events, only access events like open/exec/write are monitored.
- It don't take any metadata from the filesystem object, only the FD (file descriptor), mask and PID of the process thats made the access event.
- It supported only in post 2.6.37 kernels.
Resuming, my proposal is to implement the fanotify in CXSWatch in addition the the currently inotify support as a strong and faster alternative to any post 2.6.37 linuxes (like RHEL/Centos/Oracle/Cloudlinux 7, most of ubuntus and debian versions).
Sorry for my bad english.