I have a piece of software that works on Windows. The software has two components: file system minifilter driver that works in kernel mode and a user mode component that talks to the driver. Driver receives notifications on IO interrupt requests, such as IRP_MJ_READ. A sample application that does this can be found on github. This works for any user and most file systems supported by Windows.
I need to develop similar piece of software for OS X (desktop and server only). Things I looked at:
My reservations are: FSEvents may not be very performant, as I need to monitor root / folder and any mounted devices. I have very limited understanding of kernel queues and syscalls API hijacking may make it very hard to port to different OS X versions and can cause conflicts with AV or OS protection (such as PaX hardening).
Question: how can I get notifications that a file in any (recursive) folder in root / is being read by any user on OS X?
With a kernel extension, Kernel Authorization provides the File Operation Scope, allowing you to monitor the KAUTH_FILEOP_OPENaction for all vnodes.
The KAUTH_FILEOP_OPENaction will be called before access to all files, thus allowing you to monitor file access.
If you want more granularity of actions, the VNode scope provides a larger set of actions, including KAUTH_VNODE_READ_DATA, but be aware that this scope can be very noisy, triggering a very large number of actions at any one time.
Example code for such a kernel extension can be found in Singh's Mac OS X Internals