Home
  •  

Root PAM SSH Authentication Alert Rule

Microsoft.Linux.SLES.9.LogFile.Syslog.SSHAuth.PAM.Root.Success.Alert (Rule)

Alert rule for detection of Root Authentication via PAM SSH

Knowledge Base article:

Summary

Direct login into the root account detected.

Causes

Users may have been granted access to privileged accounts. This monitor allows system administrators to track direct logins as root user.

Resolutions

The description of the alert and/or the output data item contains information on the event encountered. If this event appears suspicious, please check the associated event details and any other events that happened around the time of this event.

Element properties:

TargetMicrosoft.Linux.SLES.9.Computer
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityInformation
Alert PriorityNormal
RemotableTrue
Alert Message
System has been logged into via SSH utilizing the "root" account for authentication detected
{0}

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Linux.SLES.9.LogFile.Syslog.SSHAuth.PAM.Root.Success.Alert" Target="Microsoft.Linux.SLES.9.Computer" Enabled="true" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <!-- [TYPE] SUSE SSH True -->

    <!-- [INPUT] Jul  6 22:47:41 scxom64-sles9-03 sshd[12904]: Accepted keyboard-interactive/pam for root from 172.30.180.171 port 22635 ssh2 -->

    <!-- [INPUT] Oct 13 04:46:19 linux sshd[6834]: Accepted publickey for root from ::ffff:192.168.233.130 port 35342 ssh2 -->

    <!-- [INPUT-MISS] Jul  6 22:49:08 scxom64-sles9-03 sshd[12934]: Accepted keyboard-interactive/pam for ccrammo from 172.30.180.171 port 22641 ssh2 -->

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/log/messages</LogFile>

      <RegExpFilter>\s+sshd\[[[:digit:]]+\]: Accepted \S+ for root from \S+</RegExpFilter>

      <IndividualAlerts>false</IndividualAlerts>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>0</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Linux.SLES.9.LogFile.Syslog.SSHAuth.PAM.Root.Success.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>