From owner-freebsd-questions@FreeBSD.ORG  Tue Feb 12 14:40:17 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id E7F4669B
 for <freebsd-questions@freebsd.org>; Tue, 12 Feb 2013 14:40:17 +0000 (UTC)
 (envelope-from frank@fstaals.net)
Received: from isp-bos-01.edutel.nl (isp-bos-01.edutel.nl
 [IPv6:2a01:670:100:11::2:1])
 by mx1.freebsd.org (Postfix) with ESMTP id 79EA186C
 for <freebsd-questions@freebsd.org>; Tue, 12 Feb 2013 14:40:17 +0000 (UTC)
Received: from isp-aos-01.edu.local (unknown [IPv6:2a01:670:100:11::1:1])
 by isp-bos-01.edutel.nl (Postfix) with ESMTP id 8373B2BC56D;
 Tue, 12 Feb 2013 15:40:15 +0100 (CET)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by isp-aos-01.edu.local (Postfix) with ESMTP id 7793534C04D;
 Tue, 12 Feb 2013 15:40:15 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at isp-aos-01.edutel.intern
Received: from isp-aos-01.edu.local ([127.0.0.1])
 by localhost (isp-aos-01.edu.local [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id BcosPScXkgl7; Tue, 12 Feb 2013 15:40:14 +0100 (CET)
Received: from lacus.fstaals.net (104-208.ftth.onsbrabantnet.nl
 [88.159.208.104])
 by isp-aos-01.edu.local (Postfix) with ESMTPA id 093F634C04B;
 Tue, 12 Feb 2013 15:40:14 +0100 (CET)
Received: from lacus.fstaals.net (unknown [192.168.10.14])
 by filter.fstaals.local (Postfix) with ESMTP id CB24A7F4FB7;
 Tue, 12 Feb 2013 15:40:07 +0100 (CET)
Received: from localhost (dyn-81-6.cs.uu.nl [131.211.81.6])
 (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested) (Authenticated sender: frank)
 by lacus.fstaals.net (Postfix) with ESMTPSA id B01367F4FB5;
 Tue, 12 Feb 2013 15:40:07 +0100 (CET)
From: Frank Staals <frank@fstaals.net>
To: Robert Huff <roberthuff@rcn.com>
Subject: Re: How to achieve E-Mail Notification on root login?
References: <20130212132452.Horde.EO28CfwdHQDobBCC5akbvA7@d2ux.org>
 <20130212144618.82ed5353.freebsd@edvax.de>
 <20762.21059.118777.31186@jerusalem.litteratus.org>
User-Mail-Address: frank@fstaals.net
Date: Tue, 12 Feb 2013 15:39:56 +0100
In-Reply-To: <20762.21059.118777.31186@jerusalem.litteratus.org> (Robert
 Huff's message of "Tue, 12 Feb 2013 09:31:31 -0500")
Message-ID: <87mwv9lhoj.fsf@Shanna.FStaals.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Cc: Polytropon <freebsd@edvax.de>, Matthias Petermann <matthias@d2ux.org>,
 freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2013 14:40:18 -0000

Robert Huff <roberthuff@rcn.com> writes:

> Polytropon writes:
>
>>  > given there is a FreeBSD system with users in the wheel group, 
>>  > what is the best practise to send out a notification
>>  > via E-Mail if one of them becomes root via su? In an ideal
>>  > case the E-Mail would contain the user name and the time.
>>  
>>  I'm not sure if there already is a solution (provided in the
>>  base system) that offers this functionality, but the fact of
>>  a user having used "su" to "su root" is logged by the system.
>>  The line is appended to /var/log/messages:
>>  
>>  	Feb 12 14:40:57 r56 su: poly to root on /dev/pts/2
>>  
>>  The information you want is in there, and you could either use
>>  the whole line, or apply some sed, awk or even perl to form a
>>  message with less information (only date and user).
>>  
>>  A scripted solution could monitor /var/log/messages for changes
>>  and use the system's builtin mailer to deliver the message. Tools
>>  like "tail -f", "grep" and "| mail" could be involved. It should
>>  be quite trivial to implement this and add a custom rc.d-style
>>  script (or even few lines in ye olde /etc/rc.local).
>
> 	Take a look at the "-p" option of "split".
> 	The bigger question is how quickly do you need to know -
> instantly?  once an hour?  once a day?  
>
>
> 				Robert Huff

I don't think anything other than instantly makes sense. If it would be
a batch thing sent once an hour/day/<whatever> then an attacker could
simply prevent the mail being sent, and/or remove her entry from the
log. 

Furthermore, one should realize that any setup would only be guaranteed
to report the first breach/login. In other words: after the first notice
that someone logged in as root you can no longer trust that you will get
further notices (assuming that the emails safely arrive once they have
actually left the system in the first place). Unless you can somehow
verify that your notification system/setup was untouched by the person
who logged in (e.g. since you were the one that actually logged in as
root).

Regards, 

-- 

- Frank