SU コマンド成功アラート ルール

Microsoft.Linux.SLES.12.LogFile.Syslog.SU.Command.Root.Success.Alert (Rule)

SU to root コマンド メッセージの成功のアラート ルール

Knowledge Base article:

Element properties:

Member Modules:

Source Code:

<Rule ID="Microsoft.Linux.SLES.12.LogFile.Syslog.SU.Command.Root.Success.Alert" Target="Microsoft.Linux.SLES.12.Computer" Enabled="true" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <!-- [TYPE] SUSE SU True -->

    <!-- [INPUT] 2014-11-05T18:33:15.108355-05:00 linux-sb1s su: (to root) anugup on pts/0 -->

    <!-- [INPUT-MISS] Nov 30 03:36:38 scxcr-sles11-03 su: (to jeffcof) jonas on /dev/pts/2 -->

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/log/messages</LogFile>

      <RegExpFilter>\s+su: \(to root\) \S+ on</RegExpFilter>

      <IndividualAlerts>false</IndividualAlerts>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>0</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Linux.SLES.12.LogFile.Syslog.SU.Command.Root.Success.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>