Operating System - HP-UX
1834264 Members
76711 Online
110066 Solutions
New Discussion

Enabling mails for notification of root login failures / sus to root

 
SSP_1
Regular Advisor

Enabling mails for notification of root login failures / sus to root

Hi,

If I have sendmail configured on a hpux 11.00 box and want to enable my mail id to receive the mails for each attempt of root login success/failure as well as su to root , How to go about?

Regards.
Shripad
Obstacles exist to challenge you to keep going. Not to quit.
7 REPLIES 7
Steven Sim Kok Leong
Honored Contributor

Re: Enabling mails for notification of root login failures / sus to root

Hi,

Quick and dirty method:

For su, to trace and identify all successful and unsuccessful su's.
1) mv /usr/bin/su to /usr/bin/su.bin
2) vi /usr/bin/su
===========================
#!/sbin/sh
echo "$*" | mail $EMAIL_ADDR
/usr/bin/su.bin $*
if [ "$?" != "0" ]
then
echo "Unsuccessful su: $*" | mail $EMAIL_ADDR
else
echo "Successful su: $*" | mail $EMAIL_ADDR
fi
===========================
3) chmod 755 su

For login, to trace all successful root logins,
1) vi /etc/profile and /etc/csh.login
2) add this line:
===========================
if [ "$LOGNAME" = "root" ]
then
echo "$LOGNAME has logged in"|mail $EMAIL_ADDR
fi
===========================

Of course, these scripts can be refined further to accomodate your needs.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
Eugen Cocalea
Respected Contributor

Re: Enabling mails for notification of root login failures / sus to root

Hi,

Why not make a script to watch the /var/adm/sulog file (this is the file that keeps all successful/unsuccessful 'su' attempts) and mail the results to you?

For 'normal' logins, use /var/adm/btmp (bad logins) and /var/adm/wtmp - the rest.

E.
To Live Is To Learn
Steven Sim Kok Leong
Honored Contributor

Re: Enabling mails for notification of root login failures / sus to root

Hi,

Well, there is a difference between polling and trap'ing (triggers) methods.

For immediate alert and response, a trigger (when su or login happens) does not require the need to schedule a cron job. Polling on the other hand (as in reading the logs periodically) would require a cron job that is scheduled to run every minute. As such, polling would take up more resources.

It really depends on your needs. I was looking more in the context of triggers for immediate alerting (eg. paging alert).

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
Eugen Cocalea
Respected Contributor

Re: Enabling mails for notification of root login failures / sus to root

Hi,

You can add the following to the /etc/syslog.conf:

pam.* | /usr/local/sbin/email_notice

and /usr/local/sbin/email_notice can contain something like:

'tail -n 1 /var/adm/sulog|mail -d '

and variations on the same theme, like, if you want to be notified of something that happened, make syslog send you an email.

E.
To Live Is To Learn
Phil Daws_1
New Member

Re: Enabling mails for notification of root login failures / sus to root

If you have PERL installed on your machine then you could use the module File::Tail to monitor when changes are made to sulog etc. Have a look at http://search.cpan.org/search?dist=File-Tail. The load on the system is negigable and you can keep the script off in your RC files. When a new entry appears in the logfile the script will perform whatever action you want and it picks up the changes as soon as they happen.
Robin Wakefield
Honored Contributor

Re: Enabling mails for notification of root login failures / sus to root

Hi Shripad,

Try this script. You'll have to switch inetd logging on (inetd -l)

===========================================
#!/bin/ksh

MAILTO=your.name@yourcompany.com

tail -1f /var/adm/syslog/syslog.log | while read line ; do
echo $line | grep -q " - .*root$" &&
(echo su unsuccessful - `echo $line | cut -d" " -f1,2,3,10` | mailx $MAILTO)
echo $line | grep -q " + .*root$" &&
(echo su successful - `echo $line | cut -d" " -f1,2,3,10` | mailx $MAILTO)
echo $line | grep -q "login/tcp"
if [ $? -eq 0 ] ; then
echo $line | sed 's/.*inetd.\([0-9][0-9]*\).*/\1/' | read PID
ps -elf | awk '$5 == PID{print $3}' PID=$PID | read USER
echo `echo $line | cut -d" " -f1,2,3` - $USER logged in | mailx $MAILTO
fi
done
===========================================

Rgds, Robin.
Sanjay_6
Honored Contributor

Re: Enabling mails for notification of root login failures / sus to root

Hi,

To forward all emails to root on your system to your user id, add a entry in /etc/mail/aliases and then rebuild the aliases.

to add an alias, vi /etc/mail/aliases and add this entry at the bottom after Local Aliases,


root : your email address

Now to rebuild the alias file, just stop and restart the sendmail daemon,

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

Now send a mail to root on the system and check whether that mail is forwarded to your email address.

Hope this helps.

Regds