The regex is case insensitive by default. So just <regex>Ownership was</regex>
Should work. thanks, -- Daniel B. Cid http://dcid.me On Tue, Aug 28, 2012 at 3:01 PM, dkoleary <[email protected]> wrote: > Hey; > > As mentioned in other posts, I'm trying to monitor the /etc directory but > alert on /etc/passwd & shadow only if their permissions/ownership change. > The rules used to read: > > <rule id="100003" level="1"> > <if_group>syscheck,</if_group> > <regex>/etc/passwd|/etc/shadow</regex> > <description>Logging but not alerting changes to passwd/shadow > files</description> > </rule> > > <rule id="100004" level="10"> > <if_sid>100003</if_sid> > <regex>[Oo]wnership was</regex> > <description>Ownership change for password or shadow file!</description> > </rule> > > however, after testing them out, the second rule isn't getting kicked off. > The alert shows: > > ** Alert 1346175104.45945: - local,syslog, > 2012 Aug 28 12:31:44 nilrhutl02->syscheck > Rule: 100003 (level 1) -> 'Logging but not alerting changes to passwd/shadow > files' > Integrity checksum changed for: '/etc/shadow' > Ownership was '1', now it is '0' > Group ownership was '503', now it is '0' > > I suspect that has to do with the regular expression [Oo] which attempts to > find a capital or lower case 'o'. I replaced the [Oo] with a \w for any > word character which I suspect will work; however, that feels like a bit of > a kludge. > > Is there a way to make searches case insensitive or a better way to search > for the work ownership regardless of the case of the first letter? > > Thanks. > > Doug O'Leary
