_____ __ _ __
/ ___/___ ____ / /_(_)___ ___ / /
\__ \/ _ \/ __ \/ __/ / __ \/ _ \/ /
___/ / __/ / / / /_/ / / / / __/ /
/____/\___/_/ /_/\__/_/_/ /_/\___/_/
---simple X sys monitor---
Experimental Linux x86-64 system monitor built on a custom kernel character driver and a C console reader.
The driver hooks into the kernel via ftrace and other techniques to intercept usefull kernel event informations. A userspace reader consumes events from the driver through a shared kfifo ring buffer and displays them in a color-coded terminal log.
Kernel space User space
────────────────────────────────── ─────────────────────────────
ftrace hooks /dev/sentinel
┌──────────────────────┐ ┌────────────────────────┐
│ hook_kill │ │ │
│ hook_execve │ ──events──► │ sentinel-monitor (C) │
│ hook_wake_up_new_task│ kfifo │ colored log output │
│ hook_commit_creds │ │ │
│ ... │ └────────────────────────┘
└──────────────────────┘
│
miscdevice /dev/sentinel
kfifo_rec_ptr_2 ring buffer
wait_queue (blocking read)
sentinel/
├── driver/
│ ├── src/
│ │ ├── sentinel.c # module init/exit
│ │ ├── chardev.c # miscdevice, kfifo, wait_queue
│ │ ├── hook.c # ftrace hook infrastructure
│ │ └── processes.c # syscall & kernel hooks
│ │ └── modules.c # syscall & kernel hooks
│ │ └── memory.c # syscall & kernel hooks
│ ├── include/
│ │ ├── sentinel.h
│ │ ├── chardev.h
│ │ ├── hook.h
│ │ └── processes.h
│ │ └── modules.h
│ │ └── memory.h
│ └── Makefile
├── gui/
│ ├── reader.c # userspace event reader
│ └── Makefile
├── uapi/
│ └── events.h # shared ABI — kernel & userspace
├── scripts/
│ └── base_deps.sh # install kernel dev dependencies
└── README.md
- Linux x86-64
- Kernel 5.10+ with
CONFIG_FTRACEandCONFIG_KPROBESenabled - Kernel headers for your running kernel
- GCC, make
Install dependencies:
./scripts/base_deps.shDriver:
cd driver
makeReader:
cd gui
make1. Load the driver:
sudo insmod driver/sentinel_driver.ko
dmesg | tail # verify: "[*] sentinel: Successfully registered misc device."
ls -la /dev/sentinel2. Run the monitor:
sudo ./gui/sentinel-monitor3. Unload when done:
sudo rmmod sentinel_driver/dev/sentinel is created with mode 0440 (root + group). Either run the monitor as root or add your user to the device group:
# find the group
ls -la /dev/sentinel
# add user to group
sudo usermod -aG <group> $USER
# or create a udev rule
echo 'KERNEL=="sentinel", MODE="0440", GROUP="sentinel"' \
| sudo tee /etc/udev/rules.d/99-sentinel.rulesThe driver targets x86-64 and requires CONFIG_X86_64. It compiles cleanly on kernel 5.10 (Debian 11) and 6.1 (Debian 12).
On kernel 6.13+, two module metadata changes apply:
MODULE_VERSIONremoved (generates undefined__modver_version_show)MODULE_IMPORT_NS("STATIC_CALL")required formight_reschedstatic call resolution
Both are handled in sentinel.c.