2009-11-02 15:47:25 UTC
That doesnt seem to work. However, if I try this:
criticality=0 event=(open,creat,unlink,symlink,truncate,ftruncate,mknod,rename,truncate64,ftruncate64,access) name=/etc*
then it will detect if I try something like rm /etc/passwd. If I even add it something like uid!=0, it wont work. If I do something like "name=(\/etc\/.,\/var\/.)" it also wont work.
Basically, I would like to record any attempts to remove, change, create any files in /etc, /sbin, /bin ....
However, I don't need to record everytime the users access /bin like if he is just using "ls" or "more"
and I would like to exclude more than one user. like root, the linuxshield virus scan username, etc
Can you provide an example? I've tried many combinations for hours and I can either get it to log everything or log nothing.
