#! META name: chkp-os-failed-logins description: List how many failed logins per user for last hour type: monitoring monitoring_interval: 5 minutes requires: vendor: checkpoint or: - os.name: gaia - os.name: secureplatform #! COMMENTS failed-logins: why: | Attackers often try to guess user passwords, in an attempt to get access to a device. Alerting to this behavior means that the administrator could take actions to limit or stop this. how: | Count the number of failed logins for the last hour, using the information in /var/log/secure log file. without-indeni: | An administrator could login and manually read the file to count attempts. can-with-snmp: false can-with-syslog: true vendor-provided-management: | This is only accessible from the command line interface. #! REMOTE::SSH echo -n "time: " && clock && /bin/nice -n 15 grep "Failed password" /var/log/secure #! PARSER::AWK #time: Fri Sep 1 05:15:20 2017 -0.016178 seconds /^time: / { currentYear = $6 currentMonth = parseMonthThreeLetter($3) currentDay = $4 split($5, clockSplitArr, ":") currentHour = clockSplitArr[1] currentMinute = clockSplitArr[2] currentSecond = clockSplitArr[3] currentTime = datetime(currentYear, currentMonth, currentDay, currentHour, currentMinute, currentSecond) } #Jun 5 10:18:30 2017 lab-CP-GW1-R7730 sshd[9369]: Failed password for invalid user someuser from 10.10.1.251 port 61492 ssh2 #Sep 1 12:14:12 2017 lab-CP-GW1 sshd[12399]: Failed password for indeni from 192.168.201.5 port 49575 ssh2 #Jul 27 17:42:37 Mario sshd[29849]: Failed password for indeni from 10.10.1.1 port 63913 ssh2 / Failed password for / { user = $(NF-5) debug("********** user" user) failedMonth = parseMonthThreeLetter($1) failedDay = $2 # There are times when year is missing from the log line. # It can be assumed that the year of the log line is the same as the current year. However this can be incorrect for a time after the year has changed. # Thus, if the current month is jan,feb,mar but the log line month is oct,nov,dec it can be assumed that the log line is from the year previous to the current year. # If the year exists in the log line, that will be used. if ( $4 !~ /[0-9]{4}/) { # Year is missing from the log line, making sure that the log line year and current year is the same if ( (currentMonth == 1 || currentMonth == 2 || currentMonth == 3) && (failedMonth == 10 || failedMonth == 11 || failedMonth == 12)) { # The log line has a month that is at the end of the year while the current time is in the beginning of the year. Assuming that they are not in the same year. failedYear = currentYear - 1 } else { failedYear = currentYear } } else { failedYear = $4 } #10:18:30 split($3, failedTimeSplitArr, ":") failedHour = failedTimeSplitArr[1] failedMinute = failedTimeSplitArr[2] failedSecond = failedTimeSplitArr[3] failedTime = datetime(failedYear, failedMonth, failedDay, failedHour, failedMinute, failedSecond) diffTime = currentTime - failedTime if (diffTime < 3600) { # failed time is within 60min from current time failed[user]++ } } END { for (user in failed) { tags["username"] = user writeDoubleMetric("failed-logins", tags, "gauge", 300, failed[user]) } }