Date: Tue, 12 Feb 2013 15:39:56 +0100 From: Frank Staals <frank@fstaals.net> To: Robert Huff <roberthuff@rcn.com> Cc: Polytropon <freebsd@edvax.de>, Matthias Petermann <matthias@d2ux.org>, freebsd-questions@freebsd.org Subject: Re: How to achieve E-Mail Notification on root login? Message-ID: <87mwv9lhoj.fsf@Shanna.FStaals.net> In-Reply-To: <20762.21059.118777.31186@jerusalem.litteratus.org> (Robert Huff's message of "Tue, 12 Feb 2013 09:31:31 -0500") References: <20130212132452.Horde.EO28CfwdHQDobBCC5akbvA7@d2ux.org> <20130212144618.82ed5353.freebsd@edvax.de> <20762.21059.118777.31186@jerusalem.litteratus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Huff <roberthuff@rcn.com> writes: > Polytropon writes: > >> > given there is a FreeBSD system with users in the wheel group, >> > what is the best practise to send out a notification >> > via E-Mail if one of them becomes root via su? In an ideal >> > case the E-Mail would contain the user name and the time. >> >> I'm not sure if there already is a solution (provided in the >> base system) that offers this functionality, but the fact of >> a user having used "su" to "su root" is logged by the system. >> The line is appended to /var/log/messages: >> >> Feb 12 14:40:57 r56 su: poly to root on /dev/pts/2 >> >> The information you want is in there, and you could either use >> the whole line, or apply some sed, awk or even perl to form a >> message with less information (only date and user). >> >> A scripted solution could monitor /var/log/messages for changes >> and use the system's builtin mailer to deliver the message. Tools >> like "tail -f", "grep" and "| mail" could be involved. It should >> be quite trivial to implement this and add a custom rc.d-style >> script (or even few lines in ye olde /etc/rc.local). > > Take a look at the "-p" option of "split". > The bigger question is how quickly do you need to know - > instantly? once an hour? once a day? > > > Robert Huff I don't think anything other than instantly makes sense. If it would be a batch thing sent once an hour/day/<whatever> then an attacker could simply prevent the mail being sent, and/or remove her entry from the log. Furthermore, one should realize that any setup would only be guaranteed to report the first breach/login. In other words: after the first notice that someone logged in as root you can no longer trust that you will get further notices (assuming that the emails safely arrive once they have actually left the system in the first place). Unless you can somehow verify that your notification system/setup was untouched by the person who logged in (e.g. since you were the one that actually logged in as root). Regards, -- - Frank
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87mwv9lhoj.fsf>