Linux kernel system monitor for file and device activity
A device-security vendor needed Linux host telemetry from inside the kernel. Joya Systems built a system monitor for file events, package activity, and removable devices, with user-mode delivery through a shared-memory queue.
Platforms
- Linux
Services
- Linux kernel module development
- File system monitoring
- User/kernel IPC
- Security telemetry
The challenge
The product needed reliable file and device events from Linux systems, including enough process context for a security platform to make sense of the data. The event stream had to handle high volume without turning the user-mode agent into a bottleneck.
What we built
We implemented file activity monitoring for ext4 and XFS operations such as create, rename, link, unlink, directory changes, and writes. Events included PID, parent PID, UID, process name, timestamp, and resolved path information.
The user/kernel channel used a lock-free circular queue shared through mmap, with ioctl controls for enablement and filtering. A blocking wait path let the user-mode agent sleep until events were ready instead of polling.
The event model also covered RPM package operations and arrival of USB storage, Wi-Fi, and Bluetooth devices, giving the security product a broader view of system change.
Project outcome
- Delivered kernel-level Linux telemetry spanning file, RPM package, and USB/Wi-Fi/Bluetooth device activity from a single sensor.
- Designed the user/kernel path — lock-free mmap ring with a blocking wait — to absorb high event volume with negligible CPU overhead and no dropped events, instead of making the agent poll.
- Shipped the process context (PID, PPID, UID, name, resolved path) a security analytics product needs, not just raw file paths.
Technical takeaway
Linux sensor quality depends on both collection depth and delivery mechanics. Dropping events or losing process context can make an otherwise clever sensor much less useful.
Working on something similar?
If your team is building in this area — a driver, kernel module, packet path, file system filter, security sensor, or certification plan — start with a technical conversation, not a sales call. Contact Joya Systems and describe the product, platform, and current state of the code.
Related consulting work
Related case studies
- Cross-platform kernel enforcement for application control
- Embedded IoT host firewall for a constrained RTOS device
Frequently asked questions
How do you collect file and device events from inside the Linux kernel without dropping them under load?
We used a lock-free circular queue shared with user space through mmap, with ioctl controls for enablement and filtering and a blocking wait path so the agent sleeps until events are ready instead of polling. That design absorbs high event volume without making the user-mode agent the bottleneck.
Which Linux file systems and events can a kernel sensor like this monitor?
It monitors ext4 and XFS operations — create, rename, link, unlink, directory changes, and writes — each carrying PID, parent PID, UID, process name, timestamp, and resolved path. The same sensor also reports RPM package operations and arrival of USB storage, Wi-Fi, and Bluetooth devices.
Case Studies
What our customers say about us?
Read our customer testimonials to find out why our clients keep returning for their projects.
View Testimonials