Home
  •  

Root Password SSH Authentication alert rule

Microsoft.Solaris.11.LogFile.Syslog.Root.SSHAuth.Password.Alert (Rule)

Alert rule for successful SSH as root messages.

Knowledge Base article:

Summary

Direct login utilizing the root account password detected.

Configuration

This rule is disabled by default. To enable this rule for monitoring, use overrides to configure the log file path and enable the rule. The log file path is set with the overridable property named LogFile, and the value must be set to the full path to the log file that will receive these events, as defined in the syslog configuration. Overrides can be used to change the parameter values for all instances or for specific instances or groups.

Causes

Users may have been granted access to privileged accounts. This rule allows system administrators to track direct logins utilizing the root account password.

Resolutions

The description of the alert and/or the output data item contains information on the problem encountered. If a failure occurs, check the associated event details and any other events that happened around the time of this failure to diagnose the problem.

Element properties:

TargetMicrosoft.Solaris.11.Computer
CategoryEventCollection
EnabledFalse
Alert GenerateTrue
Alert SeverityInformation
Alert PriorityNormal
RemotableTrue
Alert Message
Successful SSH as Root detected
{0}

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Solaris.11.LogFile.Syslog.Root.SSHAuth.Password.Alert" Target="Microsoft.Solaris.11.Computer" Enabled="false" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <!-- [TYPE] Solaris SSH True -->

    <!-- [INPUT] Dec  2 10:53:41 jeffcof-sol11-x86 sshd[1819]: [ID 800047 auth.info] Accepted keyboard-interactive for root from 172.30.170.215 port 38708 ssh2 -->

    <!-- [INPUT-MISS] Dec  2 11:00:01 jeffcof-sol11-x86 sshd[1828]: [ID 800047 auth.info] Accepted publickey for jeffcof from 172.30.170.215 port 47999 ssh2 -->

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/log/authlog</LogFile>

      <RegExpFilter>[[:space:]]+sshd\[[[:digit:]]+\]: \[.*\] Accepted [^[:space:]]+ for root from [^[:space:]]+</RegExpFilter>

      <IndividualAlerts>false</IndividualAlerts>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>0</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Solaris.11.LogFile.Syslog.Root.SSHAuth.Password.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>