On Tue, Feb 25, 2014 at 3:41 PM, John Hoyt <[email protected]> wrote: > Thanks Dan. > > Here's what I've put together so far for the local_rules.xml file. > > <rule id="100101" level="7"> > <if_group>syscheck</if_group> > <match>for: '/etc/</match> > <match>sudoers</match>
I'd just put the interesting information on 1 line: <match>/etc/sudoers</match> > <description>Sudoers File Changed.</description> > </rule> > > How does this look, and would it be placed within the <group > name="local,syslog,"> and </group> tags? > Correct. It probably won't work outside of those tags. > Thanks again, > John > > > > On Tuesday, February 25, 2014 10:34:22 AM UTC-5, dan (ddpbsd) wrote: >> >> On Tue, Feb 25, 2014 at 10:25 AM, John Hoyt <[email protected]> wrote: >> > I've been tasked with using OSSEC to email an alert whenever a user is >> > given >> > sudo access. >> > >> > I have OSSEC up and running, and emailing already. >> > >> > Any suggestions on where to start? >> > >> >> I think the best you can do is be alerted when the file changes. You >> can even get a diff of the changes made. >> Look at the syscheck options for more information. >> >> > Thanks, >> > John >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
