I have noticed that the client collects all of the data and then the server "tests" the condition.
How would I go about writing a who script that would tell me when someone is logged in as root?
Thanks
Richard
On Saturday 27 January 2007 00:51, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition.
How would I go about writing a who script that would tell me when someone is logged in as root? You can also write client tests. The bb command is used to send the status to the server. It's up to you to write the actual test. There is an entry in the FAQ section about this: http://www.hswn.dk/hobbit/help/hobbit-tips.html#scripts
Stef
On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition.
How would I go about writing a who script that would tell me when someone is logged in as root?
For a server-side script, you'll be hooking into the Hobbit "client" channel. You do that by running hobbitd_channel --channel=client MYSCRIPT through an extra section in the hobbitlaunch.cfg file. You can also run it by hand (eg for testing your script), then you must be logged in as the "hobbit" user and then run it via "bbcmd" like this: bbcmd hobbitd_channel --channel=client MYSCRIPT Your script will be getting the full client message, which looks like this: @@client#660157/osiris.hswn.dk|1169886036.071499|172.28.50.141|osiris.hswn.dk|linux|linux [uptime] 09:21:06 up 4 days, 6:53, 1 user, load average: 0.03, 0.06, 0.01 [date] Sat Jan 27 09:21:15 CET 2007 [who] henrik :0 2007-01-23 04:04 <lots more section> @@ (Just to see what it looks like, try running bbcmd hobbitd_channel --channel=client cat which just dumps the client data to the terminal). Each message begins with a line with "@@client...." and ends with a "@@" line. In between those two is a series of sections marked with "[SECTION]", you just need to grab the "[who]" section and scan it for a "root" login. When you've scanned a section, generate a status message (green or red) and send it to Hobbit - the hostname of the client reporting this data is in the "@@client..." line, as the fourth field (delimited by '|' signs). For someone familiar with Perl, I think it should be fairly straight-forward. Regards, Henrik
On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition.
How would I go about writing a who script that would tell me when someone is logged in as root?
For someone familiar with Perl, I think it should be fairly straight-forward.
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels.
To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server:
[rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
Regards, Henrik
Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root' trigger to Hobbit's LOG monitor against /var/log/messages or /var/log/secure. For example, on Fedora Core 6, you get these tell-tale entries in /var/log/secure. The first was failed attempt while the 2nd is successful attempt.
Jan 28 08:37:14 box1 su: pam_unix(su-l:auth): authentication failure; logname=joe uid=500 euid=0 tty=pts/0 ruser=joe rhost= user=root Jan 28 08:37:19 box1 su: pam_unix(su-l:session): session opened for user root by joe(uid=500)
If these entries got forwarded to a remote syslog server, the trigger would be much less vulnerable to tempering.
On 1/28/07, Henrik Stoerner <henrik at hswn.dk> wrote:
On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition.
How would I go about writing a who script that would tell me when someone is logged in as root?
For someone familiar with Perl, I think it should be fairly straight-forward.
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels.
To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server:
[rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Sun, Jan 28, 2007 at 08:42:34AM -0500, Jerry Yu wrote:
Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root' trigger to Hobbit's LOG monitor [...]
It wasn't so much to implement the "is root logged in" check as to show how server-side modules can be implemented. The check for an active root login is just what got me into writing this sample code.
Regards, Henrik
ah, the server side extension. great, now I know how to extend on the server side.
On 1/28/07, Henrik Stoerner <henrik at hswn.dk> wrote:
On Sun, Jan 28, 2007 at 08:42:34AM -0500, Jerry Yu wrote:
Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root' trigger to Hobbit's LOG monitor [...]
It wasn't so much to implement the "is root logged in" check as to show how server-side modules can be implemented. The check for an active root login is just what got me into writing this sample code.
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Hi Henrik,
Will this example be included in the next release or in the FAQ/documentation?
I think this is worth it! (I might even have to reconsider the way I'm aggregating clients values for my ganglia-like output *grumble*)
Cheers, Gildas
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels.
To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server:
[rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
Regards, Henrik
On Mon, Jan 29, 2007 at 02:01:06PM +0000, Gildas Le Nadan wrote:
Hi Henrik,
Will this example be included in the next release or in the FAQ/documentation?
I'll include it with the next release. There's already a hobbitd_sample.c file showing how to use the Hobbit channels from a C program, so it fits in well with this.
Regards, Henrik
Am I missing something? The rootlogin.pl is not working .
Here is the log
PID 20669, cause Bad file number 2007-01-29 12:53:49 Our child has failed and will not talk to us: Channel client, PID 20669, cause Bad file number 2007-01-29 12:54:04 Our child has failed and will not talk to us: Channel client, PID 20669, cause Bad file number
Thanks Richard
-----Original Message----- From: Henrik Stoerner [mailto:henrik at hswn.dk] Sent: Sunday, January 28, 2007 6:48 AM To: hobbit at hswn.dk Subject: [hobbit] Sample of Hobbit server-side module (was: Who Test)
On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition.
How would I go about writing a who script that would tell me when someone is logged in as root?
For someone familiar with Perl, I think it should be fairly straight-forward.
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels.
To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server:
[rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
Regards, Henrik
In <001e01c743d6$a5c32340$4902010a at rac.raccorp.corp> "Richard Leon" <rleon at racenter.com> writes:
Am I missing something? The rootlogin.pl is not working .
Can you run it by hand ? Do this BB=/bin/echo BBDISP=0.0.0.0 ~hobbit/server/ext/rootlogin.pl and feed it this input: ---- cut here ---- @@client#12345/localhost|1169985951.340108|10.0.0.152|localhost|sunos|sunos [who] hstoerne pts/0 Jan 28 00:07 (from somewhere) root ttyS0 Nov 1 11:13 @@ ---- end of input ---- It should yield this output: 0.0.0.0 status localhost.login red ROOT login active &red ROOT login detected! hstoerne pts/0 Jan 28 00:07 (from somewhere) root ttyS0 Nov 1 11:13 I suspect it's something silly like your perl being in /usr/local/bin instead of /usr/bin (adjust the first line of the script if that is the case). Henrik
participants (5)
-
gn1@sanger.ac.uk
-
henrik@hswn.dk
-
jjj863@gmail.com
-
rleon@racenter.com
-
stef.coene@docum.org