HPE Community
Operating System - HP-UX
1830470 Members
2642 Online
110005 Solutions
New Discussion

Re: Need mail immediately when someone logs in as root

 
SOLVED
Go to solution
chindi
Respected Contributor

‎09-02-2014 03:49 AM

‎09-02-2014 03:49 AM

Need mail immediately when someone logs in as root

Hi ,

 

Am looking for a script which will send me mail immediately when someone logs in as root or uses sudo su - .

 

O.S hpux 11iv3

 

0 Kudos
Reply
5 REPLIES 5
Bill Hassell
Honored Contributor

‎09-02-2014 09:12 AM

‎09-02-2014 09:12 AM

Re: Need mail immediately when someone logs in as root

The last command can show you root logins and for sudo, just monitor the sudo log.


For last, use something like: last -R -10 root

For sudo, you'll have to montor whatever logging was setup in the sudoers file (syslog, ordinary file, etc)



Bill Hassell, sysadmin
Reply
Dennis Handly
Acclaimed Contributor

‎09-02-2014 12:18 PM

‎09-02-2014 12:18 PM

Re: Need mail immediately when someone logs in as root

You'll need some type of cronjob that uses last(1) and looks at logins and then sleeps.

Reply
chindi
Respected Contributor

‎09-02-2014 10:28 PM - edited ‎09-03-2014 12:46 AM

‎09-02-2014 10:28 PM - edited ‎09-03-2014 12:46 AM

Re: Need mail immediately when someone logs in as root

Hi,

 

Thanks for the info.

How can i get mail immediately if smeone logs in ?

It has to run continuos in cron right and it must not send me multiple mails for one logins  , can someone get me how to start here ?

 

0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎09-03-2014 12:01 PM

‎09-03-2014 12:01 PM

Solution

Re: Need mail immediately when someone logs in as root

I've been thinking about how to do this since it was posted.

 

I think the suggestions of using the 'last' command to monitor for root logins is too complicated.

 

A relatively easy way to do something like this would be to add some code to /etc/profile.  Since the delfault shell for root should ALWAYS be /sbin/sh on HP-UX servers, /etc/profile will always be executed.

 

To have an e-mail sent to you whenever someone logs in as root, either directly or via 'su -' or 'sudo su -', add the following to /etc/profile:

 

### Send e-mail for root login
if [[ $(whoami) = root ]] ; then
   echo "User root logged in at $(date)" > /var/tmp/rlog.$$
   echo "" >> /var/tmp/rlog.$$
   who am i >> /var/tmp/rlog.$$
   echo "" >> /var/tmp/rlog.$$
   ps -f >> /var/tmp/rlog.$$
   mailx -s "root login" pwallek@sourcedirect.com < /var/tmp/rlog.$$
   rm /var/tmp/rlog.$$
fi

 

 

Here is an example of the message when loggin in as root directly (via SSH):

 

-----Original Message-----
From: root user [mailto:root@ignite.mydomain.com]
Sent: Wednesday, September 03, 2014 1:45 PM
To: Me
Subject: root login

 

User root logged in at Wed Sep 3 13:44:35 CDT 2014

 

root       pts/2       Sep 3 13:44

 

     UID   PID PPID C   STIME TTY       TIME COMMAND

   root 12106 12101 10 13:44:35 pts/2     0:00 -sh

   root 12148 12106 0 13:44:35 pts/2     0:00 ps -f

 

 

Here is an exmple of the message when someone does an 'su -':

 

-----Original Message-----
From: Test user [mailto:testuser@ignite.mydomain.com]
Sent: Wednesday, September 03, 2014 1:49 PM
To: ME
Subject: root login

 

User root logged in at Wed Sep 3 13:48:32 CDT 2014

 

testuser     pts/ta       Sep 3 13:47

 

     UID   PID PPID C   STIME TTY       TIME COMMAND

   root 12222 2191 0 13:47:32 pts/ta   0:00 telnetd

   root 12398 12357 0 13:48:32 pts/ta   0:00 ps -f

   root 12357 12223 2 13:48:30 pts/ta   0:00 -sh

testuser 12223 12222 0 13:47:32 pts/ta   0:00 -sh

 

Notice that the 'who am i' string still has the original user name and not root.

Reply
chindi
Respected Contributor

‎09-03-2014 10:11 PM - edited ‎09-03-2014 11:10 PM

‎09-03-2014 10:11 PM - edited ‎09-03-2014 11:10 PM

Re: Need mail immediately when someone logs in as root

Hi Patrick ,

 

Bingo !!!

We have edited it as per our requirement .

 

### Send e-mail for root & oracle login###################


export duid=`whoami`
if [ $(whoami) = root ] || [ $(whoami) = oracle ] ; then
export ho=`hostname`
export IP=`getip $ho`
export nme=`who am i|awk '{print $1}'`
export ptss=`who am i|awk '{print $2}'`
export ptsf=`who -TH|grep $ptss|awk '{print $NF}'`

mailx -s "$nme has logged in from $ptsf as $duid on $IP " xyz@test.com. < /dev/null
fi

 

 

Thanks again Patrick  :) :)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.