Alert rule for detection of Root Authentication via PAM SSH
Direct login into the root account detected.
Users may have been granted access to privileged accounts. This monitor allows system administrators to track direct logins as root user.
The description of the alert and/or the output data item contains information on the event encountered. If this event appears suspicious, please check the associated event details and any other events that happened around the time of this event.
Target | Microsoft.Linux.SLES.10.Computer | ||
Category | EventCollection | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Information | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Unix.SCXLog.Privileged.Datasource | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Linux.SLES.10.LogFile.Syslog.SSHAuth.PAM.Root.Success.Alert" Target="Microsoft.Linux.SLES.10.Computer" Enabled="true" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<!-- [TYPE] SUSE SSH True -->
<!-- [INPUT] Oct 7 16:54:06 sles-101-cjc sshd[31814]: Accepted keyboard-interactive/pam for root from 192.168.233.130 port 59544 ssh2 -->
<!-- [INPUT] Oct 13 11:23:37 sles-101-cjc sshd[26268]: Accepted publickey for root from 192.168.233.130 port 43962 ssh2 -->
<!-- [INPUT-MISS] Oct 7 16:48:23 sles-101-cjc sshd[31574]: Accepted keyboard-interactive/pam for ccrammo from 192.168.233.130 port 44141 ssh2 -->
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">
<Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
<LogFile>/var/log/messages</LogFile>
<RegExpFilter>\s+sshd\[[[:digit:]]+\]: Accepted \S+ for root from \S+</RegExpFilter>
<IndividualAlerts>false</IndividualAlerts>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>0</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Linux.SLES.10.LogFile.Syslog.SSHAuth.PAM.Root.Success.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>