[mythcat@desk ~]$ su
Password:
[root@desk mythcat]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-systemd.pp
[root@desk mythcat]# semodule -X 300 -i my-systemd.pp
This tool comes with three modes that the monitor can be executed with and they relate to what will be monitored.These modes are USERS|PATHS|FILES.
The options break down as follows:
- USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them.If inotify_webdir is set then the users webdir, if it exists, will only be monitored;
- PATHS: A comma spaced list of paths to monitor;
- FILE: A line spaced file list of paths to monitor
$ maldet --monitor users
$ maldet --monitor /root/initial-setup-ks.cfg
$ maldet --monitor /home/mythcat
Let's test the USERS option:[mythcat@desk maldetect-1.6.4]$ maldet --monitor users
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks
(C) 2019, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(7958): {mon} could not find inotifywait command, install yum package inotify-tools or
download from https://github.com/rvoicilas/inotify-tools/wiki/
[root@desk maldetect-1.6.4]# dnf search inotify-tools
Last metadata expiration check: 0:01:39 ago on Wed 21 Aug 2019 11:09:22 PM EEST.
============================================ Name Exactly Matched: inotify-tools ======
inotify-tools.i686 : Command line utilities for inotify
inotify-tools.x86_64 : Command line utilities for inotify
================================================ Name Matched: inotify-tools ======
inotify-tools-devel.i686 : Headers and libraries for building apps that use libinotifytools
inotify-tools-devel.x86_64 : Headers and libraries for building apps that use libinotifytools
[root@desk maldetect-1.6.4]# dnf install inotify-tools.x86_64
...
Installed:
inotify-tools-3.14-16.fc30.x86_64
Complete!
[root@desk maldetect-1.6.4]# maldet --monitor users
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks
(C) 2019, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(973): {mon} set inotify max_user_watches to 16384
maldet(973): {mon} added /dev/shm to inotify monitoring array
maldet(973): {mon} added /var/tmp to inotify monitoring array
maldet(973): {mon} added /tmp to inotify monitoring array
maldet(973): {mon} starting inotify process on 3 paths, this might take awhile...
maldet(973): {mon} inotify startup successful (pid: 1800)
maldet(973): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log