Use this, select alert, select regex, save. If you want to block the command you will need to select block as well before saving.
.*(^|\W)chmod($|\W).*
If you do not receive an email alert, first check your session logs to see if the alert is in there. if it is not, something is wrong with your regex or PAM itself (the regex i posted above DOES work).
If the alert DOES appear in your session logs, then something is wrong with your email/monitor settings in PAM. Make sure you have the proper email address and mail settings in PAM.
Let me know how you make out.
-ShawnC
Original Message:
Sent: 06-10-2019 04:48 PM
From: Julian Riano
Subject: Monitor chmod command by using command filter
Hi Community
I tried to monitor the chmod command so that when it isexecuted indicate me by mail, but I have not achieved
I tried as Regexp but it doesn't work. The objective is to bealerted by email and marked in red the sessions where thecommand runs.
Any ideas for this?