Alert rule for failed "SU to root command" messages.
A failed 'su' command has been detected in the system log files.
This rule is disabled by default. It can be enabled with an override, targeting specific Universal Linux instances or a group of Universal Linux instances. If this rule is enabled, the RegExpFilter parameter should be overridden with a Regular Expression pattern that is appropriate for the target Linux operating system and version. System log messages for specific conditions may vary between operating systems and version.
An unsuccessful attempt was made to elevate privileges with 'su.' This may have been caused by a mistyped password or an attempt to use an invalid username. However, a persistent failure could be an indication of suspicious activity.
The description of the alert and/or the output data item contains information on the event encountered. If 'su' usage appears suspicious, check the associated event details and any other events that happened around the time of this event.
Target | Microsoft.Linux.Universal.Computer | ||
Category | EventCollection | ||
Enabled | False | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Unix.SCXLog.Privileged.Datasource | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Linux.Universal.LogFile.Syslog.SU.Command.Root.Failure.Alert" Target="Universal!Microsoft.Linux.Universal.Computer" Enabled="false" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<!-- [TYPE] Redhat6 SU False -->
<!-- [INPUT] Dec 6 01:30:47 scxcrd64-rhel6-01 su: pam_unix(su-l:auth): authentication failure; logname=zoyang uid=504 euid=0 tty=pts/0 ruser=zoyang rhost= user=root -->
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">
<Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
<LogFile>/var/log/secure</LogFile>
<RegExpFilter>su: \S+\(\S+\): authentication failure; logname=\S+ .* user=root</RegExpFilter>
<IndividualAlerts>false</IndividualAlerts>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Linux.Universal.LogFile.Syslog.SU.Command.Root.Failure.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>