HPE Community
Operating System - HP-UX
1833774 Members
2903 Online
110063 Solutions
New Discussion

Re: root login

 
Nick D'angelo_3
Occasional Advisor

‎02-07-2000 03:27 AM

‎02-07-2000 03:27 AM

root login

I would like to configure a script likely, that will email me when someone has
tried to logon as root and failed.

Thanks,

Nickd


0 Kudos
Reply
2 REPLIES 2
Andrew Schafer_2
New Member

‎02-07-2000 05:26 AM

‎02-07-2000 05:26 AM

Re: root login

Hi Nick,

All bad logins are stored in the /var/adm/btmp in a binary format. To show
these in a readable format, you use the lastb command (similar to the last
command for successful logins).

For example:

fred:/var/adm # lastb
asdf pts/0 Tue Feb 8 07:58
asdf pts/0 Tue Feb 8 07:58
root pts/0 Tue Feb 8 07:58
root pts/tc Fri Feb 4 15:05
root pts/tc Fri Feb 4 15:05

As far as scripting it goes, it depends on how quickly you want to get this
information. To be honest, I can't think of an easy way to trigger this
instantly.

What you can do though is schedule a cron job to check if the btmp file has
changed and display the last records since changing. Or, if you don't want the
info in it you can empty the file each time and just do a lastb to show
everything in it. This will also help maintain the size of the file.

You could set this to run every minute, or once a day to produce a report each
morning.

You may also want to look at the security and auditing options available
through SAM. If you are running a trusted system (C2 level security) then you
can do more in terms of auditing.

Hope this helps...

Cheers,
Andrew Schafer
Australian Response Centre
0 Kudos
Reply
Anthony Goonetilleke_1
Regular Advisor

‎02-07-2000 01:23 PM

‎02-07-2000 01:23 PM

Re: root login

Probably a good idea is to disable root login from anything other than the
console via /etc/securetty then you can monitor the sulog by doing something
like this from a cron job

grep " - " /var/adm/sulog | grep -i root | mail username

This will give you all bad su attempts, change the - to a + for all the good
attempts.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.