Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Feb 2013 14:32:04 -0500 (EST)
From:      vogelke+unix@pobox.com (Karl Vogel)
To:        freebsd-questions@freebsd.org
Subject:   Re: How to achieve E-Mail Notification on root login?
Message-ID:  <20130212193204.6AB08BF5C@kev.msw.wpafb.af.mil>
In-Reply-To: <87mwv9lhoj.fsf@Shanna.FStaals.net> (message from Frank Staals on Tue, 12 Feb 2013 15:39:56 %2B0100)
References:  <20130212132452.Horde.EO28CfwdHQDobBCC5akbvA7@d2ux.org> <20130212144618.82ed5353.freebsd@edvax.de> <20762.21059.118777.31186@jerusalem.litteratus.org> <87mwv9lhoj.fsf@Shanna.FStaals.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
>> Robert Huff <roberthuff@rcn.com> writes:

R> The bigger question is how quickly do you need to know - instantly?
R> once an hour?  once a day?

>> On 12 Feb 2013 15:39:56 +0100, Frank Staals <frank@fstaals.net> said:

F> I don't think anything other than instantly makes sense. If it would be
F> a batch thing sent once an hour/day/<whatever> then an attacker could
F> simply prevent the mail being sent, and/or remove her entry from the
F> log.  Furthermore, one should realize that any setup would only be
F> guaranteed to report the first breach/login.

   Yup.  I can see two ways around this, and the first one is ugly.

   1.  Rename su and make it executable only by root, so you can't bypass
       the part that handles the email alert:

       # mv /usr/bin/su /usr/bin/sulocal
       # chmod 700 /usr/bin/sulocal

   2.  Create a script in a directory accessible only by root:

       # cat /root/bin/emailalert
       #!/bin/sh
       echo root login by `/usr/bin/id -un` | exec /path/to/sendmail -t
       exit 1

   3.  Replace /usr/bin/su with a small setuid C program to call the
       script and then run the real su, something like:

       main(int argc, char **argv, char **envp) {
           system("/root/bin/emailalert");
           execve("/usr/bin/sulocal", argv, envp);
           exit(1);
       }

   The second (better) way is to have your logs immediately forwarded to
   another host specifically set up for intrusion detection, install a
   log-monitoring system there, and send the message from there.  This way,
   the original logs are more likely to be intact when you investigate.

-- 
Karl Vogel                      I don't speak for the USAF or my company

Some guy just yelled at me for texting and driving.  I told him to
get off my hood and mind his own business.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130212193204.6AB08BF5C>