1 <!-- Rules for detecting sensitive users in last logged in users list -->
2 <!-- Set level 3 or higher at rule 535 in ossec_rules.xml and comment out <options>no_log</options> to get this working -->
5 <group name="access-control,">
7 <rule id="25000" level="7">
9 <match>root|reboot|admin|superuser|administrator|supervisor|toor</match>
10 <description>sensitive login detected</description>