Syscheck /home/*/.ssh, and write a rule to ignore everything im that dir, then write a rule to alert on the authorized_keys file. On Mar 8, 2012 12:07 PM, "Michael Zoet" <[email protected]> wrote:
> Hi to all, > > I am new to the list and I am using OSSEC for a few weeks in a 70 server > enviroment and I like it a lot. But I have some questions ;-): > > I like to real time syscheck the /home/*/.ssh/authorized_keys file of > every user. As far as I understand for syschecks I can not use regexs and > for real time checks I can only check whole directories. So what are my > options to get this done in an elegant way? > On my 70 servers I have different users, and it would be hard work to > provide a different list for every server. I'd like to have only one global > configuration for this on the master. > > Thx in advance, > Michael > > ------------------------------**------------------------------**---- > This message was sent using IMP, the Internet Messaging Program. > >
