[hobbit] Sample of Hobbit server-side module (was: Who Test)

[Jerry Yu]

Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root'
trigger to Hobbit's LOG monitor against /var/log/messages or
/var/log/secure.  For example, on Fedora Core 6, you get  these tell-tale
entries in /var/log/secure. The first was failed attempt while the 2nd is
successful attempt.

Jan 28 08:37:14 box1 su: pam_unix(su-l:auth): authentication failure;
logname=joe uid=500 euid=0 tty=pts/0 ruser=joe rhost=  user=root
Jan 28 08:37:19 box1 su: pam_unix(su-l:session): session opened for user
root by joe(uid=500)

If these entries got forwarded to a remote syslog server, the trigger would
be much less vulnerable to tempering.

On 1/28/07, Henrik Stoerner <henrik at hswn.dk> wrote:
>
> On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
> > On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
> > > I have noticed that the client collects all of the data and then the
> server
> > > "tests" the condition.
> > >
> > > How would I go about writing a who script that would tell me when
> someone is
> > > logged in as root?
> >
> > For someone familiar with Perl, I think it should be fairly
> straight-forward.
>
> I'm not familiar with Perl at all, but a couple of hours work produced
> this, which appears to work fine. I'll include it as a sample of how to
> hook into the Hobbit server-side channels.
>
> To use it, put it in your ~hobbit/server/ext/ directory, and add this to
> your hobbitlaunch.cfg on your server:
>
> [rootlogin]
>         ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg
>         NEEDS hobbitd
>         CMD hobbitd_channel --channel=client
> --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
>
>
> Regards,
> Henrik
>
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20070128/905fff5e/attachment.html>