- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Enabling mails for notification of root login fail...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2001 10:56 PM
12-03-2001 10:56 PM
Enabling mails for notification of root login failures / sus to root
If I have sendmail configured on a hpux 11.00 box and want to enable my mail id to receive the mails for each attempt of root login success/failure as well as su to root , How to go about?
Regards.
Shripad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2001 11:52 PM
12-03-2001 11:52 PM
Re: Enabling mails for notification of root login failures / sus to root
Quick and dirty method:
For su, to trace and identify all successful and unsuccessful su's.
1) mv /usr/bin/su to /usr/bin/su.bin
2) vi /usr/bin/su
===========================
#!/sbin/sh
echo "$*" | mail $EMAIL_ADDR
/usr/bin/su.bin $*
if [ "$?" != "0" ]
then
echo "Unsuccessful su: $*" | mail $EMAIL_ADDR
else
echo "Successful su: $*" | mail $EMAIL_ADDR
fi
===========================
3) chmod 755 su
For login, to trace all successful root logins,
1) vi /etc/profile and /etc/csh.login
2) add this line:
===========================
if [ "$LOGNAME" = "root" ]
then
echo "$LOGNAME has logged in"|mail $EMAIL_ADDR
fi
===========================
Of course, these scripts can be refined further to accomodate your needs.
Hope this helps. Regards.
Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2001 12:09 AM
12-04-2001 12:09 AM
Re: Enabling mails for notification of root login failures / sus to root
Why not make a script to watch the /var/adm/sulog file (this is the file that keeps all successful/unsuccessful 'su' attempts) and mail the results to you?
For 'normal' logins, use /var/adm/btmp (bad logins) and /var/adm/wtmp - the rest.
E.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2001 12:25 AM
12-04-2001 12:25 AM
Re: Enabling mails for notification of root login failures / sus to root
Well, there is a difference between polling and trap'ing (triggers) methods.
For immediate alert and response, a trigger (when su or login happens) does not require the need to schedule a cron job. Polling on the other hand (as in reading the logs periodically) would require a cron job that is scheduled to run every minute. As such, polling would take up more resources.
It really depends on your needs. I was looking more in the context of triggers for immediate alerting (eg. paging alert).
Hope this helps. Regards.
Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2001 12:38 AM
12-04-2001 12:38 AM
Re: Enabling mails for notification of root login failures / sus to root
You can add the following to the /etc/syslog.conf:
pam.* | /usr/local/sbin/email_notice
and /usr/local/sbin/email_notice can contain something like:
'tail -n 1 /var/adm/sulog|mail -d
and variations on the same theme, like, if you want to be notified of something that happened, make syslog send you an email.
E.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2001 12:41 AM
12-04-2001 12:41 AM
Re: Enabling mails for notification of root login failures / sus to root
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2001 01:57 AM
12-04-2001 01:57 AM
Re: Enabling mails for notification of root login failures / sus to root
Try this script. You'll have to switch inetd logging on (inetd -l)
===========================================
#!/bin/ksh
MAILTO=your.name@yourcompany.com
tail -1f /var/adm/syslog/syslog.log | while read line ; do
echo $line | grep -q " - .*root$" &&
(echo su unsuccessful - `echo $line | cut -d" " -f1,2,3,10` | mailx $MAILTO)
echo $line | grep -q " + .*root$" &&
(echo su successful - `echo $line | cut -d" " -f1,2,3,10` | mailx $MAILTO)
echo $line | grep -q "login/tcp"
if [ $? -eq 0 ] ; then
echo $line | sed 's/.*inetd.\([0-9][0-9]*\).*/\1/' | read PID
ps -elf | awk '$5 == PID{print $3}' PID=$PID | read USER
echo `echo $line | cut -d" " -f1,2,3` - $USER logged in | mailx $MAILTO
fi
done
===========================================
Rgds, Robin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2001 05:30 AM
12-04-2001 05:30 AM
Re: Enabling mails for notification of root login failures / sus to root
To forward all emails to root on your system to your user id, add a entry in /etc/mail/aliases and then rebuild the aliases.
to add an alias, vi /etc/mail/aliases and add this entry at the bottom after Local Aliases,
root : your email address
Now to rebuild the alias file, just stop and restart the sendmail daemon,
/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start
Now send a mail to root on the system and check whether that mail is forwarded to your email address.
Hope this helps.
Regds