4 Replies Latest reply on Oct 31, 2017 5:45 PM by curtisi

    Incidents created when manager logs in as root for cron

    matt.sherman@wheda.com

      New to LEM... we enabled a bunch of default rules. Every 15 minutes or so, incidents are created from events automatically happening on the manager. The rules that are firing to create the incidents are "Authentication Traffic but No Agent" and "Authentication Attempt - Default Account".

       

      The event info is always 'pam user logoff "root" from service "cron:session"' and 'pam user logon "root" for service "cron:session"'

       

      From the description of the "Authentication Traffic but No Agent" rule, it says it "Detects unauthorized workstations on the network" which is something we'd like to do. So are we supposed to modify the rule to exclude the LEM Manager?

       

      For the "Authentication Attempt - Default Account" rule, I see it's looking for authentication attempts for *administrator, *root, or *guest. While we would like to know if somebody is trying to login with these accounts, I don't really care that the LEM manager is logging in by itself to run cron jobs.

       

      How do we exclude these specific events from generating the incidents, but allow LEM to create incidents if the rules are triggered for other reasons?

        • Re: Incidents created when manager logs in as root for cron
          jhynds

          Hi Matt,

           

          This is typically what a root/cron logon looks like within LEM:

           

           

          You can add conditions to your correlation rules to exclude certain usernames, hostnames, etc.

           

          For example, you can add a condition to the 'Authentication Attempt - Default Account' rule to exclude events where the DectectionIP is not equal to the LEM appliance:

           

          2 of 2 people found this helpful
            • Re: Incidents created when manager logs in as root for cron
              dlorenzo@wpb.org

              Your solution will not give the desired effect. You have all your conditions in a correlation box set to OR (yellow right edge). So, if any of these conditions are met it will apply. That means the "DetectionIP not equal to *swi-lem* " will meet this even if the DestinationAccount isn't administrator, root, or guest.

               

              I believe this will accomplish that.

               

              Lem Rule 2.JPG

               

              The right edge is set to AND (Blue). Meaning that both groups must meet the condition for the correlation to be true. The (DestinationAccount is equal to administrator, root, or guest) AND the (DestinationIP is not equal to your LEM appliance).

              1 of 1 people found this helpful
                • Re: Incidents created when manager logs in as root for cron
                  valkos

                  Those rules were helpful.

                   

                  And how would one go about suppressing/discarding these alerts from showing under the Incidents window ?

                  Do I need to create a new action or need to use one from Solarwinds (although none seemed to have anything related to supressing/discarding)

                  • Re: Incidents created when manager logs in as root for cron
                    curtisi

                    I don't know that two sub-groups are needed for this, I got it with one:

                     

                     

                    If your environment has some set of tasks that do require/use the default admin accounts, you may want to swap "swi-lem" for a User Defined Group of systems so as to make that easier to maintain.

                     

                    That said, you can stop this alert from making ANY Incidents by removing the "Incident Alert" action.

                     

                    I would say that the root cause (pun not intended) is that you've run a "Scan for Nodes" connector discovery.  LEM probably configured the CRON connector for itself, and that's causing the issue. If you go to Manage --> Appliances, and configure Connectors on your LEM, do you have any of the Linux PAM, AuditD or Cron connectors configured?  If so, I'd suggest disabling and deleting them so that the LEM isn't reading its own system logs.

                    1 of 1 people found this helpful