Failed su (SUSE Linux Enterprise Server 10) - Microsoft.ACS.Linux.SLES.10.Su.Failed (Rule)

Microsoft.ACS.Linux.SLES.10.Su.Failed (Rule)

Rule to collect events for failed call to su

Knowledge Base article:

Summary

An unsuccessful 'su' command has been detected in the system log files.

Causes

User attempted to be granted access to privileged accounts. This monitor allows system administrators to track 'su' usage.

Resolutions

The description of the alert and/or the output data item contains information on the event encountered. If the activity appears suspicious, please check the associated event details and any other events that happened around the time of this event.

Element properties:

Target	Microsoft.ACS.Linux.SLES.10.ACSEndPoint
Category	EventCollection
Enabled	True
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
EventDS	DataSource	Microsoft.Unix.SCXLog.Privileged.Datasource	Default
WA	WriteAction	Microsoft.ACS.Unix.SecureEventLogWriter	Default

Module Type

TypeId

RunAs

EventDS

DataSource

Microsoft.Unix.SCXLog.Privileged.Datasource

Default

WriteAction

Microsoft.ACS.Unix.SecureEventLogWriter

Default

Source Code:

<Rule ID="Microsoft.ACS.Linux.SLES.10.Su.Failed" Enabled="true" Target="Microsoft.ACS.Linux.SLES.10.ACSEndPoint" Remotable="true"> <Category>EventCollection</Category> <DataSources> <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource"> <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host> <LogFile>/var/log/messages</LogFile>    <RegExpFilter>su: FAILED SU $to \S+$ \S+ on</RegExpFilter> </DataSource> </DataSources> <WriteActions> <WriteAction ID="WA" TypeID="ACS.Unix!Microsoft.ACS.Unix.SecureEventLogWriter"> <RegExp>(?'date'\S+\s+\d+\s+\d+:\d+:\d+)\s+(?:\S+:)?(?'hostname'\S+)\s+(?<process>su):\s*FAILED\s+SU\s+$to\s+(?<clientUser>\S+)$\s+(?<user>\S+)</RegExp> <EventType>0</EventType> <EventId>27003</EventId> </WriteAction> </WriteActions> </Rule>