Hello,
My team is evaluating OSSEC and we're looking for a method to capture sudo
commands when OOSEC detects the command has been executed. Is this on
option that is available today to capture output?
Note: I did see question/response to this going back to 2010. Since I am
new to OSSEC, I
Hi Steve,
OSSEC monitors logs. Generally the *output* from sudo commands is not logged.
(There is a LOG_OUTPUT option that can be configured in sudoers, but those logs
are generated in a special format that would probably be hard for OSSEC to
parse - since command output might be extensive and
I was wondering what folks favorite looking for evil rules are?
*In particular I was wondering if folks have written any rules along the
following lines:*
- Detection of base64 encoding
- Powershell command execution
- Running of System.Management.Automation.ni.dll (powershell dll I
Hi Christina,
Thanks so much for your feedback. And, just so I am clear, I am not looking
for the standard output after the sudo command is issued but the whole sudo
command line "sudo ".
Right now, we're experimenting with OSSEC logs going to Kibana. This is
working well, but the question I