Quote:
Originally Posted by kapszone
so in a nutshell it is a complete replacement of the file, shouldnt this be captured by my watch command mentioned above ?
|
It should but it clearly doesn't.
Quote:
Originally Posted by kapszone
Is the only solution to monitor the whole of directory ?
|
Couple of things to try depending on requirements:
- Try specific system calls (see 'ausysycall') for open, write?
- Use an active file integrity checker like Samhain (it can use inotify) and have it inject the appropriate message in audit log (see 'man auditctl')?