Try using the system auditing option from rootcheck. You can specify what to look for in the file and the type of alert.
You can find some examples here: /var/ossec/etc/shared/system_audit_rcl.txt thanks, On Wed, Jun 15, 2011 at 1:46 PM, jplee3 <[email protected]> wrote: > Hey guys, > > So I am researching something for our sysengs working on HPUX. We need > to be able to audit a particular configuration file (or more) where a > debugging flag can be added (which in turn would begin outputting > files containing sensitive data to another directory on the system). > > Essentially, we want to be alerted if this debugging flag is ever > turned on. > > The first thought was if there is an audit tool equivalent for HPUX > (auditd or snoopy) but the syseng mentioned not as far as he knows, so > that's not an immediate option. > > Is it possible to use OSSEC for this purpose? The only thing I can > think of is using syscheck, with the 'report changes' option on, and > then sending out an alert whenever the "debug" keyword is seen. But > I'm not sure that would even be possible. > > > Can anyone shed some light or offer suggestions? >
