Ha van még időd és lehetőséged, kipróbálnád, hogy ha a vfs_full_audit be van kapcsolva, mik kerülnek a logba, amikor a vírus egy adott fájlon tevékenykedik?
Ezekre lennék kíváncsi:
chdir
chflags
chmod
chmod_acl
chown
close
closedir
connect
disconnect
disk_free
fchmod
fchmod_acl
fchown
fget_nt_acl
fgetxattr
flistxattr
fremovexattr
fset_nt_acl
fsetxattr
fstat
fsync
ftruncate
get_nt_acl
get_quota
get_shadow_copy_data
getlock
getwd
getxattr
kernel_flock
link
linux_setlease
listxattr
lock
lseek
lstat
mkdir
mknod
open
opendir
pread
pwrite
read
readdir
readlink
realpath
removexattr
rename
rewinddir
rmdir
seekdir
sendfile
set_nt_acl
set_quota
setxattr
stat
statvfs
symlink
sys_acl_delete_def_file
sys_acl_get_fd
sys_acl_get_file
sys_acl_set_fd
sys_acl_set_file
telldir
unlink
utime
writeEgy példa az smb.conf fájlba:
[audit-test]
path = /test
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = chdir chflags chmod chmod_acl chown close closedir connect disconnect disk_free fchmod fchmod_acl fchown fget_nt_acl fgetxattr flistxattr fremovexattr fset_nt_acl fsetxattr fstat fsync ftruncate get_nt_acl get_quota get_shadow_copy_data getlock getwd getxattr kernel_flock link linux_setlease listxattr lock lseek lstat mkdir mknod open opendir pread pwrite read readdir readlink realpath removexattr rename rewinddir rmdir seekdir sendfile set_nt_acl set_quota setxattr stat statvfs symlink sys_acl_delete_def_file sys_acl_get_fd sys_acl_get_file sys_acl_set_fd sys_acl_set_file telldir unlink utime write
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = notice
Köszönöm