How to achieve E-Mail Notification on root login?
Hello, given there is a FreeBSD system with users in the wheel group, what is the best practise to send out a notification via E-Mail if one of them becomes root via su? In an ideal case the E-Mail would contain the user name and the time. I thought about using sudo but this is not in the base system which I would prefer. Kind regards, Matthias -- Matthias Petermann matth...@d2ux.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to achieve E-Mail Notification on root login?
On Tue, 12 Feb 2013 13:24:52 +0100, Matthias Petermann wrote: Hello, given there is a FreeBSD system with users in the wheel group, what is the best practise to send out a notification via E-Mail if one of them becomes root via su? In an ideal case the E-Mail would contain the user name and the time. I thought about using sudo but this is not in the base system which I would prefer. I'm not sure if there already is a solution (provided in the base system) that offers this functionality, but the fact of a user having used su to su root is logged by the system. The line is appended to /var/log/messages: Feb 12 14:40:57 r56 su: poly to root on /dev/pts/2 The information you want is in there, and you could either use the whole line, or apply some sed, awk or even perl to form a message with less information (only date and user). A scripted solution could monitor /var/log/messages for changes and use the system's builtin mailer to deliver the message. Tools like tail -f, grep and | mail could be involved. It should be quite trivial to implement this and add a custom rc.d-style script (or even few lines in ye olde /etc/rc.local). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to achieve E-Mail Notification on root login?
Polytropon writes: given there is a FreeBSD system with users in the wheel group, what is the best practise to send out a notification via E-Mail if one of them becomes root via su? In an ideal case the E-Mail would contain the user name and the time. I'm not sure if there already is a solution (provided in the base system) that offers this functionality, but the fact of a user having used su to su root is logged by the system. The line is appended to /var/log/messages: Feb 12 14:40:57 r56 su: poly to root on /dev/pts/2 The information you want is in there, and you could either use the whole line, or apply some sed, awk or even perl to form a message with less information (only date and user). A scripted solution could monitor /var/log/messages for changes and use the system's builtin mailer to deliver the message. Tools like tail -f, grep and | mail could be involved. It should be quite trivial to implement this and add a custom rc.d-style script (or even few lines in ye olde /etc/rc.local). Take a look at the -p option of split. The bigger question is how quickly do you need to know - instantly? once an hour? once a day? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to achieve E-Mail Notification on root login?
Robert Huff roberth...@rcn.com writes: Polytropon writes: given there is a FreeBSD system with users in the wheel group, what is the best practise to send out a notification via E-Mail if one of them becomes root via su? In an ideal case the E-Mail would contain the user name and the time. I'm not sure if there already is a solution (provided in the base system) that offers this functionality, but the fact of a user having used su to su root is logged by the system. The line is appended to /var/log/messages: Feb 12 14:40:57 r56 su: poly to root on /dev/pts/2 The information you want is in there, and you could either use the whole line, or apply some sed, awk or even perl to form a message with less information (only date and user). A scripted solution could monitor /var/log/messages for changes and use the system's builtin mailer to deliver the message. Tools like tail -f, grep and | mail could be involved. It should be quite trivial to implement this and add a custom rc.d-style script (or even few lines in ye olde /etc/rc.local). Take a look at the -p option of split. The bigger question is how quickly do you need to know - instantly? once an hour? once a day? Robert Huff I don't think anything other than instantly makes sense. If it would be a batch thing sent once an hour/day/whatever then an attacker could simply prevent the mail being sent, and/or remove her entry from the log. Furthermore, one should realize that any setup would only be guaranteed to report the first breach/login. In other words: after the first notice that someone logged in as root you can no longer trust that you will get further notices (assuming that the emails safely arrive once they have actually left the system in the first place). Unless you can somehow verify that your notification system/setup was untouched by the person who logged in (e.g. since you were the one that actually logged in as root). Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to achieve E-Mail Notification on root login?
Hi, Allow sudo bash only. Modify .bashrc to mail last entry from the log http://tldp.org/LDP/abs/html/sample-bashrc.html So you will get alert instantly :-) Peter On 12/02/2013 16:31, Robert Huff wrote: Polytropon writes: given there is a FreeBSD system with users in the wheel group, what is the best practise to send out a notification via E-Mail if one of them becomes root via su? In an ideal case the E-Mail would contain the user name and the time. I'm not sure if there already is a solution (provided in the base system) that offers this functionality, but the fact of a user having used su to su root is logged by the system. The line is appended to /var/log/messages: Feb 12 14:40:57 r56 su: poly to root on /dev/pts/2 The information you want is in there, and you could either use the whole line, or apply some sed, awk or even perl to form a message with less information (only date and user). A scripted solution could monitor /var/log/messages for changes and use the system's builtin mailer to deliver the message. Tools like tail -f, grep and | mail could be involved. It should be quite trivial to implement this and add a custom rc.d-style script (or even few lines in ye olde /etc/rc.local). Take a look at the -p option of split. The bigger question is how quickly do you need to know - instantly? once an hour? once a day? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to achieve E-Mail Notification on root login?
Robert Huff roberth...@rcn.com writes:
R The bigger question is how quickly do you need to know - instantly?
R once an hour? once a day?
On 12 Feb 2013 15:39:56 +0100, Frank Staals fr...@fstaals.net said:
F I don't think anything other than instantly makes sense. If it would be
F a batch thing sent once an hour/day/whatever then an attacker could
F simply prevent the mail being sent, and/or remove her entry from the
F log. Furthermore, one should realize that any setup would only be
F guaranteed to report the first breach/login.
Yup. I can see two ways around this, and the first one is ugly.
1. Rename su and make it executable only by root, so you can't bypass
the part that handles the email alert:
# mv /usr/bin/su /usr/bin/sulocal
# chmod 700 /usr/bin/sulocal
2. Create a script in a directory accessible only by root:
# cat /root/bin/emailalert
#!/bin/sh
echo root login by `/usr/bin/id -un` | exec /path/to/sendmail -t
exit 1
3. Replace /usr/bin/su with a small setuid C program to call the
script and then run the real su, something like:
main(int argc, char **argv, char **envp) {
system(/root/bin/emailalert);
execve(/usr/bin/sulocal, argv, envp);
exit(1);
}
The second (better) way is to have your logs immediately forwarded to
another host specifically set up for intrusion detection, install a
log-monitoring system there, and send the message from there. This way,
the original logs are more likely to be intact when you investigate.
--
Karl Vogel I don't speak for the USAF or my company
Some guy just yelled at me for texting and driving. I told him to
get off my hood and mind his own business.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to achieve E-Mail Notification on root login?
On Tue, 12 Feb 2013, Zyumbilev, Peter wrote: Allow sudo bash only. The OP didn't want to use sudo because it's not in the base system. I would guess he also doesn't want to use bash, since it too is not in the base system. [ snip ] -- Chris Hill ch...@monochrome.org ** [ Busy Expunging / ] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
