How to achieve E-Mail Notification on root login?

Frank Staals frank at
Tue Feb 12 14:40:18 UTC 2013

Robert Huff <roberthuff at> writes:

> Polytropon writes:
>>  > given there is a FreeBSD system with users in the wheel group, 
>>  > what is the best practise to send out a notification
>>  > via E-Mail if one of them becomes root via su? In an ideal
>>  > case the E-Mail would contain the user name and the time.
>>  I'm not sure if there already is a solution (provided in the
>>  base system) that offers this functionality, but the fact of
>>  a user having used "su" to "su root" is logged by the system.
>>  The line is appended to /var/log/messages:
>>  	Feb 12 14:40:57 r56 su: poly to root on /dev/pts/2
>>  The information you want is in there, and you could either use
>>  the whole line, or apply some sed, awk or even perl to form a
>>  message with less information (only date and user).
>>  A scripted solution could monitor /var/log/messages for changes
>>  and use the system's builtin mailer to deliver the message. Tools
>>  like "tail -f", "grep" and "| mail" could be involved. It should
>>  be quite trivial to implement this and add a custom rc.d-style
>>  script (or even few lines in ye olde /etc/rc.local).
> 	Take a look at the "-p" option of "split".
> 	The bigger question is how quickly do you need to know -
> instantly?  once an hour?  once a day?  
> 				Robert Huff

I don't think anything other than instantly makes sense. If it would be
a batch thing sent once an hour/day/<whatever> then an attacker could
simply prevent the mail being sent, and/or remove her entry from the

Furthermore, one should realize that any setup would only be guaranteed
to report the first breach/login. In other words: after the first notice
that someone logged in as root you can no longer trust that you will get
further notices (assuming that the emails safely arrive once they have
actually left the system in the first place). Unless you can somehow
verify that your notification system/setup was untouched by the person
who logged in (e.g. since you were the one that actually logged in as



- Frank

More information about the freebsd-questions mailing list