Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root' trigger to Hobbit's LOG monitor against /var/log/messages or /var/log/secure. For example, on Fedora Core 6, you get these tell-tale entries in /var/log/secure. The first was failed attempt while the 2nd is successful attempt.
Jan 28 08:37:14 box1 su: pam_unix(su-l:auth): authentication failure; logname=joe uid=500 euid=0 tty=pts/0 ruser=joe rhost= user=root Jan 28 08:37:19 box1 su: pam_unix(su-l:session): session opened for user root by joe(uid=500)
If these entries got forwarded to a remote syslog server, the trigger would be much less vulnerable to tempering.
On 1/28/07, Henrik Stoerner <henrik at hswn.dk> wrote:
On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition.
How would I go about writing a who script that would tell me when someone is logged in as root?
For someone familiar with Perl, I think it should be fairly straight-forward.
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels.
To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server:
[rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk