[hobbit] Sample of Hobbit server-side module (was: Who Test)
Jerry Yu
jjj863 at gmail.com
Sun Jan 28 14:42:34 CET 2007
Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root'
trigger to Hobbit's LOG monitor against /var/log/messages or
/var/log/secure. For example, on Fedora Core 6, you get these tell-tale
entries in /var/log/secure. The first was failed attempt while the 2nd is
successful attempt.
Jan 28 08:37:14 box1 su: pam_unix(su-l:auth): authentication failure;
logname=joe uid=500 euid=0 tty=pts/0 ruser=joe rhost= user=root
Jan 28 08:37:19 box1 su: pam_unix(su-l:session): session opened for user
root by joe(uid=500)
If these entries got forwarded to a remote syslog server, the trigger would
be much less vulnerable to tempering.
On 1/28/07, Henrik Stoerner <henrik at hswn.dk> wrote:
>
> On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
> > On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
> > > I have noticed that the client collects all of the data and then the
> server
> > > "tests" the condition.
> > >
> > > How would I go about writing a who script that would tell me when
> someone is
> > > logged in as root?
> >
> > For someone familiar with Perl, I think it should be fairly
> straight-forward.
>
> I'm not familiar with Perl at all, but a couple of hours work produced
> this, which appears to work fine. I'll include it as a sample of how to
> hook into the Hobbit server-side channels.
>
> To use it, put it in your ~hobbit/server/ext/ directory, and add this to
> your hobbitlaunch.cfg on your server:
>
> [rootlogin]
> ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg
> NEEDS hobbitd
> CMD hobbitd_channel --channel=client
> --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl
>
>
> Regards,
> Henrik
>
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20070128/905fff5e/attachment.html>
More information about the Xymon
mailing list