Rule:5402 - OSSEC Wiki

From OSSEC Wiki

Jump to: navigation, search

Rule:

 <rule id="5402" level="3">
   <if_sid>5400</if_sid>
   <match> ; USER=root ; COMMAND=</match>
   <description>Successful sudo to ROOT executed</description>
 </rule>

Inside file: syslog_rules
Inside group(s): Errors, Syslog
Depends on: Rule 5400
False positive: None
Comments:

Successful sudo to ROOT executed

Example of log:

May 12 20:25:09 server1 sudo: joeuser : TTY=pts/0 ; PWD=/home/joeuser ; USER=root ; COMMAND=/bin/bash

Retrieved from "http://www.ossec.net/wiki/index.php/Rule:5402"

Views

Edit

Personal tools

Log in / create account

Documentation

Search