From 8c8722851f2131f7e35821f074863feb19d8f2dd Mon Sep 17 00:00:00 2001
From: friedrich goerz <friedrich.goerz@netgo.de>
Date: Thu, 28 Apr 2022 22:15:21 +0200
Subject: [PATCH] DEV-386: added alert to get notification in case of ssh root
 login

---
 templates/prometheus/config/prometheus/alert.rules.j2 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/templates/prometheus/config/prometheus/alert.rules.j2 b/templates/prometheus/config/prometheus/alert.rules.j2
index 6cf21dc..f19a402 100644
--- a/templates/prometheus/config/prometheus/alert.rules.j2
+++ b/templates/prometheus/config/prometheus/alert.rules.j2
@@ -279,3 +279,13 @@ groups:
       identifier: '{{ '{{' }} $labels.instance {{ '}}' }}'
       summary: "Instance <{{ '{{' }} $labels.instance {{ '}}' }}> has less traffic than expected"
       description: "checks if postgres receives traffic on internal interface."
+
+  - alert: ssh root login
+    expr: authlog_root_login_hits > 0 or absent(authlog_root_login_hits)
+    for: 1m
+    labels:
+      severity: critical
+    annotations:
+      identifier: '{{ '{{' }} $labels.instance {{ '}}' }}'
+      summary: "ssh root login on Instance <{{ '{{' }} $labels.instance {{ '}}' }}> detected. plz check"
+      description: "unexpected ssh root login detected."