fsmon: monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux


FileSystem Monitor utility that runs on Linux, Android, iOS, and OSX.


fsmon filesystem information is taken from different backends depending on the operating system and apis available.

This is the list of backends that can be listed with fsmon -L:

  • inotify (Linux / Android)
  • fanotify (Linux > 2.6.36 / android 5)
  • devfsev (osx /dev/fsevents – requires root)
  • kqueue (xnu – requires root)
  • kdebug (bsd?, xnu – requires root)
  • fsevapi (osx filesystem monitor api)


fsmon is a portable tool. It works on iOS, OSX, Linux and Android (x86, arm, arm64, mips)

git clone https://github.com/nowsecure/fsmon.git


$ make

OSX + iOS fatbin

$ make


$ make ios


$ make android NDK_ARCH=<ARCH> ANDROID_API=<API>

To get fsmon installed system wide just type:

$ make install

Changing installation path…

$ make install PREFIX=/usr DESTDIR=/


The tool retrieves file system events from a specific directory and shows them in colorful format or in JSON.

It is possible to filter the events happening from a specific program name or process id (PID).

Usage: ./fsmon [-jc] [-a sec] [-b dir] [-B name] [-p pid] [-P proc] [path]
 -a [sec]  stop monitoring after N seconds (alarm)
 -b [dir]  backup files to DIR folder (EXPERIMENTAL)
 -B [name] specify an alternative backend
 -c        follow children of -p PID
 -f        show only filename (no path)
 -h        show this help
 -j        output in JSON format
 -L        list all filemonitor backends
 -p [pid]  only show events from this pid
 -P [proc] events only from process name
 -v        show version


only get events from this path

Copyright (c) 2016 NowSecure, Inc

Source: https://github.com/nowsecure/

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services