Real time detection of file system or processes changes

Is it possible to detect changes to a containers file system as they happen. I have a web application which needs to be highly secure. I’d like to monitor the container and be notified whenever a file is added, removed or changed, as well as if a new process is started inside the container.

I know the diff command could be used to see changes, however I’d prefer to have something I could watch more directly. Calling diff every minute or so and comparing the output with the previous won’t show if a file is changed more than once, and won’t register if a new process is created.

As for processes I’m more concerned about processes which start and exit rapidly.

Thoughts?

Hello rellistrion, you can use Zabbix.

I am using on my host docker and I can see the memory, the processor and how are the container status, but if you need more information about the container specification you can install the zabbix agent in this container.

What you’re describing sounds a lot like Sysdig’s Falco tool: http://www.sysdig.org/falco/

Consider your tradeoffs wisely here… monitoring an FS so intensely is unlikely to be cheap on system resources.

Looking at Falco… looks promising. Thanks