How to achieve E-Mail Notification on root login?
Karl Vogel
vogelke+unix at pobox.com
Tue Feb 12 19:40:19 UTC 2013
>> Robert Huff <roberthuff at rcn.com> writes:
R> The bigger question is how quickly do you need to know - instantly?
R> once an hour? once a day?
>> On 12 Feb 2013 15:39:56 +0100, Frank Staals <frank at fstaals.net> said:
F> I don't think anything other than instantly makes sense. If it would be
F> a batch thing sent once an hour/day/<whatever> then an attacker could
F> simply prevent the mail being sent, and/or remove her entry from the
F> log. Furthermore, one should realize that any setup would only be
F> guaranteed to report the first breach/login.
Yup. I can see two ways around this, and the first one is ugly.
1. Rename su and make it executable only by root, so you can't bypass
the part that handles the email alert:
# mv /usr/bin/su /usr/bin/sulocal
# chmod 700 /usr/bin/sulocal
2. Create a script in a directory accessible only by root:
# cat /root/bin/emailalert
#!/bin/sh
echo root login by `/usr/bin/id -un` | exec /path/to/sendmail -t
exit 1
3. Replace /usr/bin/su with a small setuid C program to call the
script and then run the real su, something like:
main(int argc, char **argv, char **envp) {
system("/root/bin/emailalert");
execve("/usr/bin/sulocal", argv, envp);
exit(1);
}
The second (better) way is to have your logs immediately forwarded to
another host specifically set up for intrusion detection, install a
log-monitoring system there, and send the message from there. This way,
the original logs are more likely to be intact when you investigate.
--
Karl Vogel I don't speak for the USAF or my company
Some guy just yelled at me for texting and driving. I told him to
get off my hood and mind his own business.
More information about the freebsd-questions
mailing list