From owner-freebsd-questions@FreeBSD.ORG Tue Feb 12 19:40:19 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A578D6D for ; Tue, 12 Feb 2013 19:40:19 +0000 (UTC) (envelope-from vogelke@hcst.net) Received: from beta.hcst.com (beta.hcst.com [192.52.183.241]) by mx1.freebsd.org (Postfix) with ESMTP id 34AC3D4C for ; Tue, 12 Feb 2013 19:40:18 +0000 (UTC) Received: from beta.hcst.com (localhost [127.0.0.1]) by beta.hcst.com (8.14.3/8.14.3/Debian-9.4) with ESMTP id r1CJbwia028457 for ; Tue, 12 Feb 2013 14:37:58 -0500 Received: (from vogelke@localhost) by beta.hcst.com (8.14.3/8.14.3/Submit) id r1CJbwvN028455; Tue, 12 Feb 2013 14:37:58 -0500 Received: by kev.msw.wpafb.af.mil (Postfix, from userid 32768) id 6AB08BF5C; Tue, 12 Feb 2013 14:32:04 -0500 (EST) To: freebsd-questions@freebsd.org In-reply-to: <87mwv9lhoj.fsf@Shanna.FStaals.net> (message from Frank Staals on Tue, 12 Feb 2013 15:39:56 +0100) Subject: Re: How to achieve E-Mail Notification on root login? Organization: Array Infotech X-Disclaimer: I don't speak for the USAF or Array Infotech. X-GPG-ID: 1024D/711752A0 2006-06-27 Karl Vogel X-GPG-Fingerprint: 56EB 6DBF 4224 C953 F417 CC99 4C7C 7D46 7117 52A0 References: <20130212132452.Horde.EO28CfwdHQDobBCC5akbvA7@d2ux.org> <20130212144618.82ed5353.freebsd@edvax.de> <20762.21059.118777.31186@jerusalem.litteratus.org> <87mwv9lhoj.fsf@Shanna.FStaals.net> Message-Id: <20130212193204.6AB08BF5C@kev.msw.wpafb.af.mil> Date: Tue, 12 Feb 2013 14:32:04 -0500 (EST) From: vogelke+unix@pobox.com (Karl Vogel) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: vogelke+unix@pobox.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 19:40:19 -0000 >> Robert Huff writes: R> The bigger question is how quickly do you need to know - instantly? R> once an hour? once a day? >> On 12 Feb 2013 15:39:56 +0100, Frank Staals said: F> I don't think anything other than instantly makes sense. If it would be F> a batch thing sent once an hour/day/ then an attacker could F> simply prevent the mail being sent, and/or remove her entry from the F> log. Furthermore, one should realize that any setup would only be F> guaranteed to report the first breach/login. Yup. I can see two ways around this, and the first one is ugly. 1. Rename su and make it executable only by root, so you can't bypass the part that handles the email alert: # mv /usr/bin/su /usr/bin/sulocal # chmod 700 /usr/bin/sulocal 2. Create a script in a directory accessible only by root: # cat /root/bin/emailalert #!/bin/sh echo root login by `/usr/bin/id -un` | exec /path/to/sendmail -t exit 1 3. Replace /usr/bin/su with a small setuid C program to call the script and then run the real su, something like: main(int argc, char **argv, char **envp) { system("/root/bin/emailalert"); execve("/usr/bin/sulocal", argv, envp); exit(1); } The second (better) way is to have your logs immediately forwarded to another host specifically set up for intrusion detection, install a log-monitoring system there, and send the message from there. This way, the original logs are more likely to be intact when you investigate. -- Karl Vogel I don't speak for the USAF or my company Some guy just yelled at me for texting and driving. I told him to get off my hood and mind his own business.