Wazuh notification - (host) any - Alert level 12 Successful su for nobody by root
647 views
Skip to first unread message
Matheus Oliveira
Apr 27, 2022, 5:27:47 PM4/27/22
to Wazuh mailing list
These days I'm receiving this alert by email and I found it strange because of all the hosts it was the first time I looked. Has anyone gone through something like this?
=======================================================================
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58761]: + ??? root:nobody
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58761]: pam_unix(su:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58767]: + ??? root:nobody
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58767]: pam_unix(su:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:04 host su[58778]: + ??? root:nobody
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:04 host su[58778]: pam_unix(su:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:04 host systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58761]: + ??? root:nobody
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58761]: pam_unix(su:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58767]: + ??? root:nobody
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host su[58767]: pam_unix(su:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:03 host systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:04 host su[58778]: + ??? root:nobody
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:04 host su[58778]: pam_unix(su:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
Wazuh Notification.
2022 Apr 27 06:25:46
Received From: (host) any->/var/log/auth.log
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
User: nobody
Portion of the log(s):
Apr 27 06:25:04 host systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
uid: 0
--END OF NOTIFICATION
=======================================================================
When I looked I was quite scared. I found a prometheus service in docker running as user nobody and killed that service and still the warning keeps coming. I checked if there are any schedules in cron and I didn't find it either. If anyone can give me some guidance on how to try to find something about this warning or if it is a false positive. I thank.
Emiliano Zorn
Apr 28, 2022, 7:14:09 PM4/28/22
to Wazuh mailing list
Hello there!
The rule itself gives a warning each time the authentication of a user is correct.
Here is the form in which it is configured:
Here is the form in which it is configured:
<!-- Attack signatures -->
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user>$SYS_USERS</user>
<description>System user successfully logged to the system.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user>$SYS_USERS</user>
<description>System user successfully logged to the system.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
The alert is arriving to you by mail for the level that composes
it, you must have configured that the alerts of that level are sent to
your mail.
Can you verify which agent is affected by this alert?
Can you verify which agent is affected by this alert?
Regards,
Emiliano.
Matheus Oliveira
Apr 29, 2022, 5:12:42 PM4/29/22
to Wazuh mailing list
Yes I can identify the host. I've looked for something that identifies this alert but so far I haven't been able to find it. I suspect that it's some cron schedule made by some docker container that doesn't have a specific user to run, so Linux runs as nobody, because it's always at the same time. I'm suspicious of this because I searched the internet for posts similar to this behavior. I checked and there's nothing in the host's schedules, so I started looking in the containers. I found some stuff from some containers with spring. If I find out more, I'll let you know here. Thank you for giving me your attention and trying to help me. =D
Reply all
Reply to author
Forward
0 new messages