Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root' trigger to Hobbit's LOG monitor against /var/log/messages or /var/log/secure. For example, on Fedora Core 6, you get these tell-tale entries in /var/log/secure. The first was failed attempt while the 2nd is successful attempt.
<br><br>Jan 28 08:37:14 box1 su: pam_unix(su-l:auth): authentication failure; logname=joe uid=500 euid=0 tty=pts/0 ruser=joe rhost= user=root<br>Jan 28 08:37:19 box1 su: pam_unix(su-l:session): session opened for user root by joe(uid=500)
<br><br>If these entries got forwarded to a remote syslog server, the trigger would be much less vulnerable to tempering.<br><br><div><span class="gmail_quote">On 1/28/07, <b class="gmail_sendername">Henrik Stoerner</b> <
<a href="mailto:henrik@hswn.dk">henrik@hswn.dk</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
<br>> On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:<br>> > I have noticed that the client collects all of the data and then the server<br>> > "tests" the condition.<br>> ><br>
> > How would I go about writing a who script that would tell me when someone is<br>> > logged in as root?<br>><br>> For someone familiar with Perl, I think it should be fairly straight-forward.<br><br>I'm not familiar with Perl at all, but a couple of hours work produced
<br>this, which appears to work fine. I'll include it as a sample of how to<br>hook into the Hobbit server-side channels.<br><br>To use it, put it in your ~hobbit/server/ext/ directory, and add this to<br>your hobbitlaunch.cfg
on your server:<br><br>[rootlogin]<br> ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg<br> NEEDS hobbitd<br> CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
<br><br><br>Regards,<br>Henrik<br><br><br><br>To unsubscribe from the hobbit list, send an e-mail to<br><a href="mailto:hobbit-unsubscribe@hswn.dk">hobbit-unsubscribe@hswn.dk</a><br><br><br><br></blockquote></div><br>