Hey; As mentioned in other posts, I'm trying to monitor the /etc directory but alert on /etc/passwd & shadow only if their permissions/ownership change. The rules used to read:
<rule id="100003" level="1"> <if_group>syscheck,</if_group> <regex>/etc/passwd|/etc/shadow</regex> <description>Logging but not alerting changes to passwd/shadow files</description> </rule> <rule id="100004" level="10"> <if_sid>100003</if_sid> <regex>[Oo]wnership was</regex> <description>Ownership change for password or shadow file!</description> </rule> however, after testing them out, the second rule isn't getting kicked off. The alert shows: ** Alert 1346175104.45945: - local,syslog, 2012 Aug 28 12:31:44 nilrhutl02->syscheck Rule: 100003 (level 1) -> 'Logging but not alerting changes to passwd/shadow files' Integrity checksum changed for: '/etc/shadow' Ownership was '1', now it is '0' Group ownership was '503', now it is '0' I suspect that has to do with the regular expression [Oo] which attempts to find a capital or lower case 'o'. I replaced the [Oo] with a \w for any word character which I suspect will work; however, that feels like a bit of a kludge. Is there a way to make searches case insensitive or a better way to search for the work ownership regardless of the case of the first letter? Thanks. Doug O'Leary
