Home
  •  

Root PAM SSH Authentication Alert Rule

Microsoft.Linux.SLES.12.LogFile.Syslog.SSHAuth.PAM.Root.Success.Alert (Rule)

Alert rule for detection of Root Authentication via PAM SSH

Knowledge Base article:

Summary

Direct login into the root account detected.

Causes

Users may have been granted access to privileged accounts. This monitor allows system administrators to track direct logins as root user.

Resolutions

The description of the alert and/or the output data item contains information on the event encountered. If this event appears suspicious, please check the associated event details and any other events that happened around the time of this event.

Element properties:

TargetMicrosoft.Linux.SLES.12.Computer
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityInformation
Alert PriorityNormal
RemotableTrue
Alert Message
System has been logged into via SSH utilizing the "root" account for authentication detected
{0}

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Linux.SLES.12.LogFile.Syslog.SSHAuth.PAM.Root.Success.Alert" Target="Microsoft.Linux.SLES.12.Computer" Enabled="true" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <!-- [TYPE] SUSE SSH True -->

    <!-- [INPUT] 2014-12-15T13:03:06.718568-05:00 linux-sb1s sshd[19370]: Accepted keyboard-interactive/pam for root from 10.30.69.2 port 51219 ssh2 -->

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/log/messages</LogFile>

      <RegExpFilter>\s+sshd\[[[:digit:]]+\]: Accepted \S+ for root from \S+</RegExpFilter>

      <IndividualAlerts>false</IndividualAlerts>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>0</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Linux.SLES.12.LogFile.Syslog.SSHAuth.PAM.Root.Success.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>