On Monday 25 August 2008 16:24:35 LC Bruzenak wrote: > I think I just saw the answer in the audisp-prelude man page: > ... > -w /etc/shadow -p wa > > and you want idmef alerts on this, you need to add -k > ids-file-med or something appropriate to signal to the plugin > that this message is for it.
Yes, you'd add -k ids-file- and the one of: info, low, med, or high depending on how severe you consider this access. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
