in relation to https://wiki.univention.de/index.php/Cool_Solution_-_Ransomware_protection_with_Fail2Ban
theare a filtered with VFS audit the commands pwrite write rename
reaname is clear : renaming of a file or directory
pwrite I find in my logs but only for system files like *.tmp files
write is never logged (since one year)
When a crypto trojan is active, it will rename and encrypt the file.
Encrypting the file needs to open the file and save it.
I have simulated it (change file content) and have found in the audit logs this:
smbd_audit: D1+test|10.0.7.142|private|open|ok|w|/srv/files/home/frank/UCS/VFS_audit.txt
smbd_audit: D1+test|10.0.7.142|private|ftruncate|ok|/srv/files/home/frank/UCS/VFS_audit.txt
smbd_audit: D1+test|10.0.7.142|private|close|ok|/srv/files/home/frank/UCS/VFS_audit.txt
The important keywords are |open|ok|w| : my interpretation: open for read and write
|ftruncate| : my interpretation: changing the file size of a file (in reference to the file descriptor)
Can somebody confirm it, that udate a file content will produce this audit?
Thanks, Frank