Invalid Console Login (AIX 7) - Microsoft.ACS.AIX.7.Console.Invalid (Rule)

Microsoft.ACS.AIX.7.Console.Invalid (Rule)

Rule to collect events for invalid console login events

Knowledge Base article:

Summary

An invalid login attempt via the system console has been detected in the system log files.

Causes

A user attempted to (unsuccessfully) log in via the system console.

Resolutions

The description of the alert and/or the output data item contains information on the event encountered. If the activity appears suspicious, please check the associated event details and any other events that happened around the time of this event.

Element properties:

Target	Microsoft.ACS.AIX.7.ACSEndPoint
Category	EventCollection
Enabled	False
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
EventDS	DataSource	Microsoft.Unix.SCXLog.Privileged.Datasource	Default
WA	WriteAction	Microsoft.ACS.Unix.SecureEventLogWriter	Default

Module Type

TypeId

RunAs

EventDS

DataSource

Microsoft.Unix.SCXLog.Privileged.Datasource

Default

WriteAction

Microsoft.ACS.Unix.SecureEventLogWriter

Default

Source Code:

<Rule ID="Microsoft.ACS.AIX.7.Console.Invalid" Enabled="false" Target="Microsoft.ACS.AIX.7.ACSEndPoint" Remotable="true"> <Category>EventCollection</Category> <DataSources> <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource"> <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host> <LogFile>/var/log/syslog.log</LogFile>    <RegExpFilter>[[:space:]]+syslog: .*: failed login attempt for UNKNOWN_USER$</RegExpFilter> </DataSource> </DataSources> <WriteActions> <WriteAction ID="WA" TypeID="ACS.Unix!Microsoft.ACS.Unix.SecureEventLogWriter"> <RegExp>(?'date'\S+\s+\d+\s+\d+:\d+:\d+)\s+(?:\S+:)?(?'hostname'\S+)\s+.*\s+syslog: (?!sshd).*: failed login attempt for (?'user'UNKNOWN_USER)$</RegExp> <EventType>0</EventType> <EventId>27003</EventId> <BackrefDefaults>process="login"</BackrefDefaults> </WriteAction> </WriteActions> </Rule>