Here is a problem I am trying to figure out a work-around. Looking for files that might be unauthorized copies of files. For example, /etc/passwd. But, if you add that to the rootkit_files in etc/shared - you would want to list it as */passwd -- but how could you get it to only trigger if it finds copies of passed in anyplace other than /etc?
scratching head, ~k
