Mozilla Security SSHD Login Monitor
Match SSH login events and generate email alerts.
By default, alerts always go to default_email.
If user_email is specified in the configuration, alerts will also be sent to this address. User email should be a string containing a %s format specifier which is replaced with the username of the account which logged in.
The acceptable_message_drift parameter indicates an age in seconds. If a new event is received and the timestamp is older than current time - acceptable_message_drift, or newer than the current time + acceptable_message_drift, then instead of handling the alert normally the alert will be submitted to drift_email with an indication that events are being consumed with abnormal timestamp fields.
If drift_email is not set, excessively new or old messages will just be ignored.
This analysis plugin makes assumptions events will be received in a timely manner under normal circumstances.
1. Sample Configuration
filename = "moz_security_sshd_login_monitor.lua"
message_matcher = "Type ~= 'bastion.file.sshd'% && Fields[sshd_authmsg] == 'Accepted'"
ticker_interval = 0
process_message_inject_limit = 1
default_email = "foxsec-dump+OutOfHours@mozilla.com" -- required
-- user_email = "manatee-%s@moz-svc-ops.pagerduty.com" -- optional user specific email address
-- drift_email = "captainkirk@mozilla.com" -- optional drift message notification
-- acceptable_message_drift = 600 -- optional, defaults to 600 seconds if not specified
source code: moz_security_sshd_login_monitor.lua