All, Probably a simple answer, but not for me. I want an alert to fire any time there is a sudo operation with the COMMAND being a shell (/bin/bash in this instance).
Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser ; USER=bob ; COMMAND=/bin/bash Any pointers? I am new to developing rules. Using 2.7.0 Thanks, Phil
