Yes. Look at the ruleset syslog_rules.xml, and make sure that the file to which sudo logs is looked at by your ossec.conf (usually /var/log/secure). You can add additional rules based on the ones you see in that ruleset to local_rules.xml.
-- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kat Sent: Wednesday, June 08, 2011 09:11 To: ossec-list Subject: [ossec-list] Rule for group sudo? I have a group of users that I would like to monitor for sudo usage. I have looked at the standard root sudo, but was wondering if anyone had done any custom rules for this at all. Since it is about 50 users in this group that I want to monitor, there has to be an easy way and I am just not figuring it out. thanks -k
