On 17 April 2013 21:09, Morsiani, Massimo <massimo.morsiani at gilbarco.com>wrote:
is there anyone that is using one script to check if root user is logged on Unix/Linux machines? Or is there anyone that is using "xymond_rootlogin.pl" and can explain me how to use it? Thanks in advance for the support.
IMHO, this script seems overkill, given what's now possible within Xymon these days. The "who" output is already available in the client data, and could be extracted and analysed server-side with something like:
#!/bin/sh
HOSTLIST=xymongrep rootcheck
for HOSTNAME in $HOSTLIST; do
WHO=xymon localhost 'clientlog name.of.server section=who"
[ "$WHO" ] || continue # skip hosts without [who]
if echo "$WHO" | grep "^root" >/dev/null; then
MSG="status $HOSTNAME.root red root logins detected"
else
MSG="status $HOSTNAME.root green no root logins detected"
fi
xymon $XYMSRV "$MSG
$WHO"
done
This just finds all the hosts.cfg entries with "rootcheck" present, and reports where "who" shows that root is logged in. This would be run from tasks.cfg.
Another way to do this, without having to create and maintain an actual script file, is to use backticks to create a virtual log file entry in client-local.cfg, like so:
log:exec 2>/dev/null; { grep '^$' /tmp/who.log >/dev/null && >/tmp/who.log || echo "" >>/tmp/who.log; } && who >> /tmp/who.log && echo /tmp/who.log:10240
This collects lines from a virtual logfile /tmp/who.log, that contains the who output. This allows you to monitor the who logfile with analysis.cfg, like so:
HOST=* LOG /tmp/who.log %^root COLOR=red TEXT="Root login detected"
This backticks scriptlet is a little complicated because it needs to make sure the virtual logfile size changes every time, otherwise Xymon's logfetch process might not detect any difference in the file and not report anything.
J