If you still follow this list, can you post your rules to do this? This isn't working for me, but I've been doing this:
<directories check_all="yes" report_changes="yes" realtime="yes" restrict= "authorized_keys">/home</directories> Anyone have an idea? Thanks, Rick On Friday, March 9, 2012 at 5:27:29 AM UTC-8, Michael Zoet wrote: > > Hi dan, > > > Syscheck /home/*/.ssh, and write a rule to ignore everything im that dir, > > then write a rule to alert on the authorized_keys file. > > Thanks for that and it works this way :-). > > Michael > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
