You could always dump the output of some account auditing program into a file and add a custom rule to monitor for something in that file.
On linux the psacct suite of tools works well for me. jimi MdMonk wrote: > .bash_history isn't updated until the shell is exited. > > -Chuck > > On Thu, Apr 2, 2009 at 10:07 PM, OSSEC junkie <[email protected]>wrote: > >> It is Nix. I hope this will work out. Has anyone else spoke of this? >> >> >> On Wed, Apr 1, 2009 at 5:04 PM, Michael Starks < >> [email protected]> wrote: >> >>> OSSEC junkie wrote: >>>> All: >>>> >>>> Is it possible for ossec to monitor a certain directory or file and >>>> alert if a specific command is run? I am running OSSEC 1.6.1 right now >>>> but if this available in the latest release, I will most certainly >>>> upgrade. Any ideas if this is possible and if so, how do I implement >>> this? >>>> Thanks! >>> Is this 'nix? Maybe you can monitor .bash_history. Not foolproof, but >>> maybe suitable for your needs. >>> >> >
