Alert rule for successful "SU to root command" messages.
A successful 'su' command has been detected in the system log files.
This rule is disabled by default. It can be enabled with an override, targeting specific Universal Linux instances or a group of Universal Linux instances. If this rule is enabled, the RegExpFilter parameter should be overridden with a Regular Expression pattern that is appropriate for the target Linux operating system and version. System log messages for specific conditions may vary between operating systems and version.
Users may have been granted access to privileged accounts with 'su' elevation. This alerting rule allows system administrators to track 'su' usage.
The description of the alert and/or the output data item contains information on the event encountered. If 'su' usage appears suspicious, check the associated event details and any other events that happened around the time of this event.
Target | Microsoft.Linux.Universal.Computer | ||
Category | EventCollection | ||
Enabled | False | ||
Alert Generate | True | ||
Alert Severity | Information | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Unix.SCXLog.Privileged.Datasource | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Linux.Universal.LogFile.Syslog.SU.Command.Root.Success.Alert" Target="Universal!Microsoft.Linux.Universal.Computer" Enabled="false" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<!-- [TYPE] Redhat6 SU True -->
<!-- [INPUT] Dec 6 01:24:06 scxcrd64-rhel6-01 su: pam_unix(su-l:session): session opened for user root by zoyang(uid=504) -->
<!-- [TYPE] Redhat8 SU True -->
<!-- Dec 25 05:36:46 ost64-rh8-01 su[77788]: pam_unix(su:session): session opened for user root by root(uid=1000) -->
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">
<Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
<LogFile>/var/log/secure</LogFile>
<RegExpFilter>\s+su\[*[[:digit:]]*\]*: \S+\(\S+\): session opened for user root by \S+\(uid=[[:digit:]]+\)</RegExpFilter>
<IndividualAlerts>false</IndividualAlerts>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>0</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Linux.Universal.LogFile.Syslog.SU.Command.Root.Success.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>