How do you specify the "forbidden hours" in the Detection Rule "Auditd Login Attempt at Forbidden Time"

I came across that Detection Rule but it seems unusual to me that i cannot specify the "Forbidden Times" somehow. My guess is that auditd has that event that can be triggered but the thing is that somehow you can control that and set your "forbidden hours".

The query is: event.module:auditd and event.action:"attempted-log-in-during-unusual-hour-to"
Also i couldn't find any documentation about that event from auditd.

Thanks in advance

1 Like

Hi again, @panagiss, for this rule, auditbeat is checking details available in a Linux Pluggable Authentication Module, also known as PAM, on the system on which it is running.

Specifically, there is a pam_time module that detects logins during unusual times. I am not familiar with this module, but it seems that there are time settings available.

I found this Red Hat documentation on Time-based restriction of Access

So your linux system would need to have pam_time installed and running in order for this rule to trigger.

The Elastic documentation for this rule contains a link to the line in the pam_time code that checks for this behavior.

Hope this helps!

Yeah thanks, i didn't see the link at first, even thought your info here was more valuable for me in order to dig it up later.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.