Root Password SSH Authentication alert rule

Microsoft.Linux.Universal.LogFile.Syslog.Root.SSHAuth.Password.Alert (Rule)

Alert rule for detection of Root Password via SSH Authentication

Knowledge Base article:


Direct login using the root account password detected.


This rule is disabled by default. It can be enabled with an override, targeting specific Universal Linux instances or a group of Universal Linux instances. If this rule is enabled, the RegExpFilter parameter should be overridden with a Regular Expression pattern that is appropriate for the target Linux operating system and version. System log messages for specific conditions may vary between operating systems and version.


Users may have been granted access to privileged accounts. This alerting rule allows system administrators to track direct logins using the root account password.


The description of the alert and/or the output data item contains information on the event encountered. If this event appears suspicious, check the associated event details and any other events that happened around the time of this event.

Element properties:

Alert GenerateTrue
Alert SeverityInformation
Alert PriorityNormal
Alert Message
System has been logged into via SSH using "root" password detected

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Linux.Universal.LogFile.Syslog.Root.SSHAuth.Password.Alert" Target="Universal!Microsoft.Linux.Universal.Computer" Enabled="false" Remotable="true">
<!-- [TYPE] Redhat6 SSH True -->
<!-- [INPUT] Dec 6 00:57:45 scxcrd64-rhel6-01 sshd[14769]: Accepted password for root from port 52268 ssh2 -->
<!-- [INPUT] Jul 31 20:04:31 scxcrd64-rhel6-01 sshd[16729]: Accepted publickey for root from port 35550 ssh2 -->
<!-- [INPUT-MISS] Dec 6 01:49:37 scxcrd64-rhel6-01 sshd[15053]: Accepted password for zoyang from port 18320 ssh2 -->
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">
<RegExpFilter>\s+sshd\[[[:digit:]]+\]: Accepted \S+ for root from \S+</RegExpFilter>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">