[Change] docs: monitor_scan_owner_filters toggle reference; issue #485

[Change] conf.maldet: scan_ignore_root comment cross-references monitor
         carve-out (monitor_scan_owner_filters default-off); issue #485
[Change] README.md: scan_ignore_root row notes monitor exception; new
         monitor_scan_owner_filters row in monitor config table; issue #485
[Change] maldet.1: MONITOR MODE gains carve-out paragraph explaining
         default-off ownership filters and monitor_scan_owner_filters
         semantics; Monitoring config group listing updated; issue #485

Author: rfxn

CHANGELOG

@@ -100,6 +100,12 @@ v2.0.1 | Mar 25 2026:
          Dockerfile bake + explicit helper call); unblocks issue-485
          UAT which re-sets scan_ignore_root=1 to exercise the
          production default; issue #485
+[Change] docs: conf.maldet scan_ignore_root comment cross-references monitor carve-out;
+         README.md scan_ignore_root row notes monitor exception, new
+         monitor_scan_owner_filters row added to monitor config table;
+         maldet.1 MONITOR MODE gains carve-out paragraph (issue #485 rationale,
+         monitor_scan_owner_filters semantics) and Monitoring config group
+         listing updated; issue #485
 [Change] Vendored libs synced to canonical: tlog_lib 2.0.6, alert_lib 1.0.7, elog_lib 1.0.6, pkg_lib 1.0.10 (zero functional change)
 [Change] Alert templates: consolidate summary into headers; drop "TOTAL" prefix from
          labels (HITS/CLEANED/QUARANTINED); add quarantine metrics; aligned column spacing

CHANGELOG.RELEASE

@@ -100,6 +100,12 @@ v2.0.1 | Mar 25 2026:
          Dockerfile bake + explicit helper call); unblocks issue-485
          UAT which re-sets scan_ignore_root=1 to exercise the
          production default; issue #485
+[Change] docs: conf.maldet scan_ignore_root comment cross-references monitor carve-out;
+         README.md scan_ignore_root row notes monitor exception, new
+         monitor_scan_owner_filters row added to monitor config table;
+         maldet.1 MONITOR MODE gains carve-out paragraph (issue #485 rationale,
+         monitor_scan_owner_filters semantics) and Monitoring config group
+         listing updated; issue #485
 [Change] Vendored libs synced to canonical: tlog_lib 2.0.6, alert_lib 1.0.7, elog_lib 1.0.6, pkg_lib 1.0.10 (zero functional change)
 [Change] Alert templates: consolidate summary into headers; drop "TOTAL" prefix from
          labels (HITS/CLEANED/QUARANTINED); add quarantine metrics; aligned column spacing

README.md

@@ -269,7 +269,7 @@ maldet -co quarantine_hits=1,email_addr=you@domain.com -a /home
 | `scan_cpunice` | Nice priority for scan process (-19 to 19) | `19` |
 | `scan_ionice` | IO scheduling class priority (0-7) | `6` |
 | `scan_cpulimit` | Hard CPU limit percentage (0=disabled) | `0` |
-| `scan_ignore_root` | Skip root-owned files in scans | `1` |
+| `scan_ignore_root` | Skip root-owned files in scans (not applied in monitor mode by default; see `monitor_scan_owner_filters`) | `1` |
 | `scan_ignore_user` | Skip files owned by specific users | — |
 | `scan_ignore_group` | Skip files owned by specific groups | — |
 | `scan_user_access` | Allow non-root users to run scans | `0` |
@@ -336,6 +336,7 @@ maldet -co scan_yara=1 -a /home/?/public_html
 | `digest_escalate_hits` | Hit count threshold for immediate escalation alert; `0` = disabled | `0` |
 | `cron_digest_hook` | Enable cron.daily hook digest sweep (fires digest if new hook detections exist) | `1` |
 | `monitor_paths_extra` | Path to a line-separated file of additional inotify watch paths | `/usr/local/maldetect/monitor_paths.extra` |
+| `monitor_scan_owner_filters` | Apply `scan_ignore_root`/`scan_ignore_user`/`scan_ignore_group` ownership filters in monitor mode; `0` (default) = off — monitor scans all files regardless of owner (restores 1.6.6 semantics, fixes issue #485); `1` = on — apply ownership filters (matches rc1..rc3 behavior) | `0` |
 
 ### 3.7 Post-Scan Hooks
 

files/conf.maldet

@@ -298,6 +298,9 @@ scan_cpulimit="0"
 # As a design and common use case, LMD typically only scans user space paths
 # and as such it makes sense to ignore files that are root owned. It is
 # recommended to leave this enabled for best performance.
+# Note: in monitor mode, this filter is NOT applied by default (controlled
+# by monitor_scan_owner_filters below) so that root-owned malware drops in
+# user docroots are not silently skipped; issue #485.
 # [ 0 = disabled, 1 = enabled ]
 scan_ignore_root="1"
 

files/maldet.1

@@ -447,7 +447,8 @@ Key variables by category:
 .BR inotify_cpulimit ,
 .BR digest_interval ,
 .BR digest_escalate_hits ,
-.BR monitor_paths_extra .
+.BR monitor_paths_extra ,
+.BR monitor_scan_owner_filters .
 .PP
 .B Hook Scanning:
 .BR hookscan_timeout ,
@@ -848,6 +849,22 @@ by listing them (one per line) in the file pointed to by
 .BR monitor_paths_extra .
 These are merged with the primary path list on every cycle reload.
 .PP
+By default, monitor mode scans every file that lands in its watched scope
+regardless of owner \(em including root\-owned files.
+This restores the behavior of LMD 1.6.6 and closes the detection gap
+for root\-owned malware dropped into user docroots (issue #485).
+The ownership filters
+.BR scan_ignore_root ,
+.BR scan_ignore_user ,
+and
+.B scan_ignore_group
+are NOT applied in monitor mode unless
+.B monitor_scan_owner_filters
+is set to
+.BR 1 ,
+which re\-enables the rc1\[en]rc3 behavior for operators who have deliberately
+tuned their ownership filter configuration.
+.PP
 Monitor exclusions union two files:
 .B ignore_inotify
 (user\-owned, preserved across upgrades) and