[Xymon] root login script

Jeremy Laidman jlaidman at rebel-it.com.au
Fri Apr 19 06:52:31 CEST 2013


On 17 April 2013 21:09, Morsiani, Massimo <massimo.morsiani at gilbarco.com>wrote:

> is there anyone that is using one script to check if root user is logged
> on Unix/Linux machines?
> Or is there anyone that is using "xymond_rootlogin.pl" and can explain me
> how to use it?
> Thanks in advance for the support.
>

IMHO, this script seems overkill, given what's now possible within Xymon
these days.  The "who" output is already available in the client data, and
could be extracted and analysed server-side with something like:

#!/bin/sh
HOSTLIST=`xymongrep rootcheck`
for HOSTNAME in $HOSTLIST; do
  WHO=`xymon localhost 'clientlog name.of.server section=who"`
  [ "$WHO" ] || continue # skip hosts without [who]
  if echo "$WHO" | grep "^root" >/dev/null; then
    MSG="status $HOSTNAME.root red root logins detected"
  else
    MSG="status $HOSTNAME.root green no root logins detected"
  fi
  xymon $XYMSRV "$MSG
$WHO"
done

This just finds all the hosts.cfg entries with "rootcheck" present, and
reports where "who" shows that root is logged in.  This would be run from
tasks.cfg.

Another way to do this, without having to create and maintain an actual
script file, is to use backticks to create a virtual log file entry in
client-local.cfg, like so:

log:`exec 2>/dev/null; { grep '^$' /tmp/who.log >/dev/null && >/tmp/who.log
|| echo "" >>/tmp/who.log; } && who >> /tmp/who.log && echo
/tmp/who.log`:10240

This collects lines from a virtual logfile /tmp/who.log, that contains the
who output.  This allows you to monitor the who logfile with analysis.cfg,
like so:

HOST=*
  LOG /tmp/who.log %^root COLOR=red TEXT="Root login detected"

This backticks scriptlet is a little complicated because it needs to make
sure the virtual logfile size changes every time, otherwise Xymon's
logfetch process might not detect any difference in the file and not report
anything.

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130419/4ba6b777/attachment.html>


More information about the Xymon mailing list