Home
  •  

Root Password SSH Authentication alert rule

Microsoft.Linux.RHEL.5.LogFile.Syslog.Root.SSHAuth.Password.Alert (Rule)

Alert rule for detection of Root Password via SSH Authentication

Knowledge Base article:

Summary

Direct login using the root account password detected.

Causes

Users may have been granted access to privileged accounts. This alerting rule allows system administrators to track direct logins using the root account password.

Resolutions

The description of the alert and/or the output data item contains information on the event encountered. If this event appears suspicious, check the associated event details and any other events that happened around the time of this event.

Element properties:

TargetMicrosoft.Linux.RHEL.5.Computer
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityInformation
Alert PriorityNormal
RemotableTrue
Alert Message
System has been logged into via SSH using "root" password detected
{0}

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Linux.RHEL.5.LogFile.Syslog.Root.SSHAuth.Password.Alert" Target="Microsoft.Linux.RHEL.5.Computer" Enabled="true" Remotable="true">

  <Category>EventCollection</Category>

  <!-- [TYPE] Redhat5 SSH True -->

  <!-- [INPUT] Jul 31 18:40:21 scxcore-rhel50-01 sshd[16525]: Accepted password for root from 172.30.181.43 port 2039 ssh2 -->

  <!-- [INPUT] Jul 31 20:04:31 scxcore-rhel50-01 sshd[16729]: Accepted publickey for root from 172.30.182.25 port 35550 ssh2 -->

  <!-- [INPUT-MISS] Jul 31 20:03:52 scxcore-rhel50-01 sshd[16696]: Accepted password for jonas from 172.30.181.43 port 4893 ssh2 -->

  <DataSources>

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/log/secure</LogFile>

      <RegExpFilter>\s+sshd\[[[:digit:]]+\]: Accepted \S+ for root from \S+</RegExpFilter>

      <IndividualAlerts>false</IndividualAlerts>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>0</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Linux.RHEL.5.LogFile.Syslog.Root.SSHAuth.Password.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>