Home
  •  

Root Password SSH Authentication alert rule

Microsoft.Linux.RHEL.6.LogFile.Syslog.Root.SSHAuth.Password.Alert (Rule)

Alert rule for detection of Root Password via SSH Authentication

Knowledge Base article:

Summary

Direct login utilizing the root account password detected.

Causes

Users may have been granted access to privileged accounts. This monitor allows system administrators to track direct logins utilizing the root account password.

Resolutions

The description of the alert and/or the output data item contains information on the event encountered. If this event appears suspicious, please check the associated event details and any other events that happened around the time of this event.

Element properties:

TargetMicrosoft.Linux.RHEL.6.Computer
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
System has been logged into via SSH using "root" password detected
{0}

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Linux.RHEL.6.LogFile.Syslog.Root.SSHAuth.Password.Alert" Enabled="true" Target="Microsoft.Linux.RHEL.6.Computer" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/log/secure</LogFile>

      <RegExpFilter>.*sshd.*Accepted.*password.*for.*root.*</RegExpFilter>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Linux.RHEL.6.LogFile.Syslog.Root.SSHAuth.Password.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>