Regra para coletar eventos relacionados a logons ssh com êxito
Foi detectado um comando ssh nos arquivos de log do sistema.
Foi concedido ao usuário acesso ao sistema remotamente. Este monitor permite que os administradores de sistemas controlem o uso de 'ssh'.
A descrição do alerta e/ou do item de dados de saída contém informações sobre o evento encontrado. Se a atividade parecer suspeita, verifique os detalhes do evento relacionado e todos os outros eventos que ocorreram por volta do horário desse evento.
Target | Microsoft.ACS.Solaris.11.ACSEndPoint |
Category | EventCollection |
Enabled | False |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Unix.SCXLog.Privileged.Datasource | Default |
WA | WriteAction | Microsoft.ACS.Unix.SecureEventLogWriter | Default |
<Rule ID="Microsoft.ACS.Solaris.11.Ssh.Succeeded" Enabled="false" Target="Microsoft.ACS.Solaris.11.ACSEndPoint" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">
<Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>
<LogFile>/var/log/authlog</LogFile>
<!-- [TYPE] Solaris SSH True -->
<!-- [INPUT] Jan 10 14:50:42 jeffcof-sol11-x86 sshd[19958]: [ID 800047 auth.info] Accepted keyboard-interactive for root from ::1 port 41405 ssh2 -->
<!-- [INPUT] Jan 11 10:42:52 jeffcof-sol11-x86 sshd[2000]: [ID 800047 auth.info] Accepted publickey for jeffcof from 172.30.168.208 port 40203 ssh2 -->
<!-- [EXPECTED] date="Jan 10 14:50:42"; hostname="jeffcof-sol11-x86"; process="sshd"; processId="19958"; user="root"; clientHost="::1" -->
<!-- [EXPECTED] date="Jan 11 10:42:52"; hostname="jeffcof-sol11-x86"; process="sshd"; processId="2000"; user="jeffcof"; clientHost="172.30.168.208" -->
<RegExpFilter>[[:space:]]+sshd\[[[:digit:]]+\]: \[.*\] Accepted [^[:space:]]+ for [^[:space:]]+ from [^[:space:]]+</RegExpFilter>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="ACS.Unix!Microsoft.ACS.Unix.SecureEventLogWriter">
<RegExp>(?'date'\S+\s+\d+\s+\d+:\d+:\d+)\s+(?:\S+:)?(?'hostname'\S+)\s+(?'process'sshd)\[(?'processId'\d+)\]: \[.*\] Accepted \S+ for (?'user'\S+) from (?'clientHost'\S+)</RegExp>
<EventType>1</EventType>
<EventId>27002</EventId>
</WriteAction>
</WriteActions>
</Rule>