Title
#kolide
f

fritz

10/16/2018, 8:23 PM
@pvirani if I understand correctly you only want to monitor changes to sudoers and passwd but your query is looking at the recursive contents of your
etc
folder or your
root
folder and all contents of your
~/.ssh
folder.
pvirani

pvirani

10/17/2018, 9:43 PM
yes this is the intent @fritz because we want to collect all the info from our potentially sensitive directories. but, only want to alert on selected things
f

fritz

10/17/2018, 9:48 PM
Cool, sounds good. I take it you got your answer regarding the churn from @8p8c in terms of
atime
and other values that are subject to frequent change.
pvirani

pvirani

10/17/2018, 10:09 PM
yes