On Mon, 2008-08-25 at 16:41 -0400, Steve Grubb wrote: > On Monday 25 August 2008 16:24:35 LC Bruzenak wrote: > > I think I just saw the answer in the audisp-prelude man page: > > ... > > -w /etc/shadow -p wa > > > > and you want idmef alerts on this, you need to add -k > > ids-file-med or something appropriate to signal to the plugin > > that this message is for it. > > Yes, you'd add -k ids-file- and the one of: info, low, med, or high > depending on how severe you consider this access. > > -Steve
...and of course then that made me think if we can do this for the file watches, why not for user-submitted events also? Some of these I am already sending into the prelude system via patched audisp-prelude.c code, but I'd prefer to rip out this hack and instead just have a matching key identified. LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
