We woud like to be able to monitor for changes to the sudoers file on Jamf Pro devices, via Jamf Protect.
We tried creating a new custom analytic, but it does not seem to work during our testing - no events are logged in the Alerts tab. Anyone know if there is an issue with our setup?
It wont let me add a screenshot, so here is the 'predicate' in the Summary tab for the analytic:
( $event.isModified == 1 AND $event.path ==[cd] "/private/etc/sudoers" )
The 'Event Type' is 'File System Event'