HPE Community
Operating System - HP-UX
1752802 Members
5046 Online
108789 Solutions
New Discussion юеВ

Re: triggerning mail if command 'rm' executed

 
himacs
Super Advisor

тАО10-25-2012 05:23 AM

тАО10-25-2012 05:23 AM

triggerning mail if command 'rm' executed

Hi Admins,

 

Somebody did some nasty things and our server ended up in hung state,lost /var and /usr.

No OS backup,No tape drive,No OS cd..  Please dont ask why..?

There is no direct root disabled, all the people in this world using root to login to this server.

 

Since some application dependancy not able disable the direct root login.

 

Now i am trying to write a script , which trigger a mail if anybody runs 'rm' command.

 

Please help me to write the logic of the script.

 

Regards

himacs

 

 

0 Kudos
Reply
8 REPLIES 8
Patrick Wallek
Honored Contributor

тАО10-25-2012 07:23 AM

тАО10-25-2012 07:23 AM

Re: triggerning mail if command 'rm' executed

What do you want to happen when someone executes 'rm'?  Do you want to just send an e-mail or do you want it to actually delete the files?

 

0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО10-25-2012 07:59 AM

тАО10-25-2012 07:59 AM

Re: triggerning mail if command 'rm' executed

At its simplest form:

 

1) Move /usr/bin/rm to /usr/bin/rm.orig

2) Take the following script and make it /usr/bin/rm and make sure it is executable by all users (555 permissions).

 

# cat rm

#!/usr/bin/sh
RM=$@
echo "The following rm command was run: ${RM}" | mailx -s "rm command" user@domain.com

 

The thing to keep in mind is that if you patch you will need to check the 'rm' command to make sure your custom script has not been overwritten.

0 Kudos
Reply
himacs
Super Advisor

тАО10-25-2012 08:06 AM

тАО10-25-2012 08:06 AM

Re: triggerning mail if command 'rm' executed

Hi Patrick,

Thanks for the response.

My requirement is , if anybody executes rm command i should get a mail, stating that user X ran rm from X ip.

I dont want to block users from executing rm command.

REgards

himacs
0 Kudos
Reply
himacs
Super Advisor

тАО10-25-2012 08:41 AM

тАО10-25-2012 08:41 AM

Re: triggerning mail if command 'rm' executed

Patrik,

 

Thanks for the logic.

 

But if i move the rm binary, i cannot delete files right..?

Requirement is if anyone executes rm , mail should trigger.Let them delete files.But i should get notification .

 

Regatds

himacs

0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО10-25-2012 11:05 AM

тАО10-25-2012 11:05 AM

Re: triggerning mail if command 'rm' executed

 
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО10-25-2012 11:59 AM - edited тАО10-25-2012 01:35 PM

тАО10-25-2012 11:59 AM - edited тАО10-25-2012 01:35 PM

Re: triggering mail if command 'rm' executed

Do you really want to mail for each rm, instead of just logging it?

(Or are you worried that the logs will be removed too?  :-)

You could also enable auditing for unlink.

0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО10-25-2012 01:52 PM

тАО10-25-2012 01:52 PM

Re: triggerning mail if command 'rm' executed

You really have a problem with who has what powers on the system. User privileges are the problem.

You can scan the .sh_history files for rm and do an email with the mailx -s command.

Of course by then the damage will already be done.

Also note .sh_history file can be altered by the user.

A more effective response would be a security audit and going over who has what powers as part of an analysis of sudo privileges and such.

SEP
Lo Someach, but back.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
himacs
Super Advisor

тАО10-26-2012 03:07 AM

тАО10-26-2012 03:07 AM

Re: triggerning mail if command 'rm' executed

 

 

Hi Admins,

Thanks for the comment.
Anyhow this server will be in production for next 2 more months.Let me introduce sude od rbac.

Thanks
himacs

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.