Thanks Dan. Here's what I've put together so far for the local_rules.xml file.
<rule id=“100101” level=“7”> <if_group>syscheck</if_group> <match>for: ‘/etc/</match> <match>sudoers</match> <description>Sudoers File Changed.</description> </rule> How does this look, and would it be placed within the <group name="local,syslog,"> and </group> tags? Thanks again, John On Tuesday, February 25, 2014 10:34:22 AM UTC-5, dan (ddpbsd) wrote: > > On Tue, Feb 25, 2014 at 10:25 AM, John Hoyt <[email protected]<javascript:>> > wrote: > > I've been tasked with using OSSEC to email an alert whenever a user is > given > > sudo access. > > > > I have OSSEC up and running, and emailing already. > > > > Any suggestions on where to start? > > > > I think the best you can do is be alerted when the file changes. You > can even get a diff of the changes made. > Look at the syscheck options for more information. > > > Thanks, > > John > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
