Hi,
Maldet can be used for real time monitoring. "iNotify Monitoring" is the feature used for real time monitoring purpose. The maldet monitoring option requires a kernel that supports inotify_watch which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. The main plus point is that we can use this feature instead of daily/weekly scan. We can also configure maldet in such a way that we will be getting email alerts.
This scans users real-time file creation/modify/move operations.
There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.
e.g: maldet --monitor users
e.g: maldet --monitor /root/monitor_paths
e.g: maldet --monitor /home/mike,/home/ashton
The options break down as follows:
USERS - The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
PATHS - A comma spaced list of paths to monitor
FILE - A line spaced file list of paths to monitor