On 09/13/2010 10:09 AM, Tyler Ross wrote:
Hello all!I am needing to create a rule that will alert when a local account is created on clients running OSSEC, and also a rule that will alert when any local account is joined to the Administrators group.
This should be doable. Please post some sanitized logs with examples of a local user being created and added to the admins group.
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
