Skip to main content

File System Monitor

This module watches the file system by adding eBPF hooks to LSM functions (security_inode_create, security_inode_unlink and security_file_open) and produces these events:

  • FileCreated: timestamp, pid, filename
  • FileDeleted: timestamp, pid, filename
  • FileOpened: timestamp, pid, filename, flags
  • ElfOpened: timestamp, pid, filename, flags

The elf checking feature is used to identify binaries and is implemented by opening every accessed file and checking the presence of the ELF magic value in its first bytes.


elf_check_enabledbooleanEnable ELF check
elf_check_whitelistpath listPaths ignored by ELF check

Default configuration:


You disable this module or the ELF check with:

pulsar config --set file-system-monitor.enabled=false
pulsar config --set file-system-monitor.elf_check_enabled=false


You can try this module using the probe example:

cargo run --example probe -- file-system-monitor