All,
Probably a simple answer, but not for me. I want an alert to fire any time
there is a sudo operation with the COMMAND being a shell (/bin/bash in this
instance).
Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
; USER=bob ; COMMAND=/bin/bash
Any pointers? I am new
On Tue, Jan 22, 2013 at 2:34 PM, Phil Cox p...@rightscale.com wrote:
Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
; USER=bob ; COMMAND=/bin/bash
Phil,
You could write a new rule in your local_rules.xml, like following:
rule id=101022 level=7
