Falha no início de sessão na consola (Servidor SUSE Linux Enterprise 10)

Microsoft.ACS.Linux.SLES.10.Console.Failed (Rule)

Regra para recolher eventos de falha de início de sessão na consola

Knowledge Base article:

Resumo

Foi detetada uma operação de início de sessão na consola sem êxito nos ficheiros de registo do sistema.

Causas

Não foi concedido ao utilizador acesso ao sistema através da consola do sistema. Este monitor permite aos administradores de sistema controlar a utilização da consola do sistema.

Resoluções

A descrição do alerta e/ou do item de dados de saída contém informações sobre o evento encontrado. Se a atividade parecer suspeita, verifique os detalhes do evento associado e quaisquer outros eventos que aconteceram à volta da hora deste evento.

Element properties:

Target	Microsoft.ACS.Linux.SLES.10.ACSEndPoint
Category	EventCollection
Enabled	True
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
EventDS	DataSource	Microsoft.Unix.SCXLog.Privileged.Datasource	Default
WA	WriteAction	Microsoft.ACS.Unix.SecureEventLogWriter	Default

Source Code:

<Rule ID="Microsoft.ACS.Linux.SLES.10.Console.Failed" Enabled="true" Target="Microsoft.ACS.Linux.SLES.10.ACSEndPoint" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>

      <LogFile>/var/log/messages</LogFile>

      <!-- [TYPE] SUSE ConsoleLogin False -->

      <!-- [INPUT] Oct 12 15:27:30 sles-101-cjc login[11912]: FAILED LOGIN 1 FROM /dev/tty1 FOR ccrammo, Authentication failure -->

      <!-- [INPUT] Oct 12 15:27:35 sles-101-cjc login[11912]: FAILED LOGIN 2 FROM /dev/tty1 FOR ccrammo, Authentication failure -->

      <!-- [INPUT] Oct 12 15:27:40 sles-101-cjc login[11912]: FAILED LOGIN SESSION FROM /dev/tty1 FOR ccrammo, Authentication failure -->

      <!-- [INPUT] Oct 12 15:27:29 sles-101-cjc login[9912]: FAILED LOGIN 1 FROM /dev/tty1 FOR root, Authentication failure -->

      <!-- [INPUT] Oct 12 15:27:34 sles-101-cjc login[9912]: FAILED LOGIN 2 FROM /dev/tty1 FOR root, Authentication failure -->

      <!-- [INPUT] Oct 12 15:27:39 sles-101-cjc login[9912]: FAILED LOGIN SESSION FROM /dev/tty1 FOR root, Authentication failure -->

      <!-- [EXPECTED] date="Oct 12 15:27:30"; hostname="sles-101-cjc"; process="login"; processId="11912"; user="ccrammo" -->

      <!-- [EXPECTED] date="Oct 12 15:27:35"; hostname="sles-101-cjc"; process="login"; processId="11912"; user="ccrammo" -->

      <!-- [EXPECTED] date="Oct 12 15:27:40"; hostname="sles-101-cjc"; process="login"; processId="11912"; user="ccrammo" -->

      <!-- [EXPECTED] date="Oct 12 15:27:29"; hostname="sles-101-cjc"; process="login"; processId="9912"; user="root" -->

      <!-- [EXPECTED] date="Oct 12 15:27:34"; hostname="sles-101-cjc"; process="login"; processId="9912"; user="root" -->

      <!-- [EXPECTED] date="Oct 12 15:27:39"; hostname="sles-101-cjc"; process="login"; processId="9912"; user="root" -->

      <RegExpFilter>login\[[[:digit:]]+\]: FAILED LOGIN.*FROM .* FOR \S+, Authentication failure</RegExpFilter>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WA" TypeID="ACS.Unix!Microsoft.ACS.Unix.SecureEventLogWriter">

      <RegExp>(?'date'\S+\s+\d+\s+\d+:\d+:\d+)\s+(?:\S+:)?(?'hostname'\S+)\s+(?'process'login)\[(?'processId'\d+)\]: FAILED LOGIN.*FROM .* FOR (?'user'\S+), Authentication failure</RegExp>

      <EventType>0</EventType>

      <EventId>27003</EventId>

    </WriteAction>

  </WriteActions>

</Rule>