[gentoo-user] How send mail when user login on ssh or local ?

[gentoo-user] How send mail when user login on ssh or local ?

[Vagner Rodrigues]

Hi Folks !


 Somebody  know how I to  so send mail with  IP and Date/time  when same
user login on shell  ( remote or local ) ?

I work with another admin's  and I never told me  when they access and
for what  my server  to do something,  I try log but this can be erased 
and maybe mail can help me about access and with this I can Ask about
this access.







--

Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

Re: [gentoo-user] How send mail when user login on ssh or local ?

[Joshua Murphy]

2009/7/30 Vagner Rodrigues <vagner@litrixlinux.org>:
>
>
> Hi Folks !
>
>
>  Somebody  know how I to  so send mail with  IP and Date/time  when same
> user login on shell  ( remote or local ) ?
>
> I work with another admin's  and I never told me  when they access and
> for what  my server  to do something,  I try log but this can be erased
> and maybe mail can help me about access and with this I can Ask about
> this access.
>
>
>
>
>
>
>
> --
>
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.

Well, all questions regarding the reasons you'd be giving root privs
to someone you don't entirely trust aside... the quick and dirty
approach I can think of would be to modify the system wide
/etc/profile to check uid and send an email if a given uid is logged
in. In the end, there's little to no way I'm aware of to guarantee
being alerted about use once someone's being handed root privileges.

If you do go about setting it up that way... OpenSSH sets variables[1]
regarding the session (IP and such) and those can be used to identify
that. The `tty` command[2] can be used to tell you whether the access
is direct physical access to the system's virtual consoles or not. You
could even bypass dependency on the local system having working mail
configuration and such if you have an smtp server off-host you can
send through by using netcat. A Windows variation[3] I found of the
same principle idea does just that. And, lastly, if you use sudo you
can leverage its own auditing capabilities to know when it's being
used[4].


[1] For example:
SSH_CLIENT=127.0.0.1 44681 22
SSH_TTY=/dev/pts/1
SSH_CONNECTION=127.0.0.1 44681 127.0.0.1 22
Which are of the form:
SSH_CLIENT=<client ip> <client port> <server port>
SSH_TTY=<local tty or pty>
SSH_CONNECTION=<client ip> <client port> <server ip> <server port>

[2] http://swoolley.org/man.cgi/tty

[3] http://community.spiceworks.com/how_to/show/225

[4] http://www.cyberciti.biz/faq/sudo-send-e-mail-sudo-log-file/

-- 
Poison [BLX]
Joshua M. Murphy
"Real programmers can write assembly code in any language." - Larry Wall

[gentoo-user] Re: How send mail when user login on ssh or local ?

[Harry Putnam]

Vagner Rodrigues <vagner@litrixlinux.org> writes:

> Hi Folks !
>
>
>  Somebody  know how I to  so send mail with  IP and Date/time  when same
> user login on shell  ( remote or local ) ?
>
> I work with another admin's  and I never told me  when they access and
> for what  my server  to do something,  I try log but this can be erased 
> and maybe mail can help me about access and with this I can Ask about
> this access.

Do you really think the other admins would be erasing logs?

one way to get some input would be to run your own script that calls 
`w' who `who' every half hour and writes it to a file with `>>' redirect.

Then once a day the script could mail you the resulting file.

If the other admins are logging in as root... you would see where they
were logging in from... and possibly identify them that way... also
`w' may give a little hint as to what they are doing.

Some scanning of the output file would reveal quite a lot of info over
time. 

look at `man w' or `man who' for what you would be getting

The output might look something like this...showing who is logged in
and from where:

 w
[...]
USER    TTY FROM              LOGIN@  IDLE WHAT
jhc      p1 pool-173-70-160-  2:36AM     0 /bin/ksh 
cytroic  p3 fw1.appliedcard. 02Jul09 7days screen -x 
st       p4 mais2.cat.utexas Wed07PM 20:26 -bash 
rob      pa 216-239-45-4.goo Sun11PM    27 screen -rd 
dwa      ph 68-116-196-242.d  8:10PM  1:00 -bash 
reader   pk c-98-215-178-110  9:57PM     0 w 
mage     pq c-65-34-215-99.h Fri10PM 5days screen -r 


Or use `who' to get a full print of the remote hosts users are logging
in from:

  who 
jhc      ttyp1    Jul 30 02:36   (pool-173-70-160-108.nwrknj.fios.)
cytroic  ttyp3    Jul  2 13:59   (fw1.appliedcard.com)
st       ttyp4    Jul 29 19:05   (mais2.cat.utexas.edu)
rob      ttypa    Jul 26 23:50   (216-239-45-4.google.com)
dwa      ttyph    Jul 30 20:10   (68-116-196-242.dhcp.oxfr.ma.char)
reader   ttypk    Jul 30 21:57   (c-98-215-178-110.hsd1.in.comcast)
mage     ttypq    Jul 24 22:49   (c-65-34-215-99.hsd1.fl.comcast.n)

Re: [gentoo-user] Re: How send mail when user login on ssh or local ?

[Alan McKinnon]

On Friday 31 July 2009 00:05:16 Harry Putnam wrote:
> >  Somebody  know how I to  so send mail with  IP and Date/time  when same
> > user login on shell  ( remote or local ) ?
> >
> > I work with another admin's  and I never told me  when they access and
> > for what  my server  to do something,  I try log but this can be erased
> > and maybe mail can help me about access and with this I can Ask about
> > this access.
>
> Do you really think the other admins would be erasing logs?

That's what I was thinking. If you don't trust the other admin, then either:

1. You need to stop being the admin, or
2. The other person needs to stop being the admin.

This is not a technical problem, it does not need a technical solution.
It is a human problem and it needs a human solution.

This sounds nasty. Of course it is nasty - it intended it to be. But it's also 
true. In 25 years in this game, I have never found the above to be false. 
Trying to do anything about it is a fool's game and down that path lies 
madness.

-- 
alan dot mckinnon at gmail dot com

[gentoo-user] Re: How send mail when user login on ssh or local ?

[Doug O'Neal]

On 07/30/2009 06:12 PM, Alan McKinnon wrote:
> On Friday 31 July 2009 00:05:16 Harry Putnam wrote:
>>>  Somebody  know how I to  so send mail with  IP and Date/time  when same
>>> user login on shell  ( remote or local ) ?
>>>
>>> I work with another admin's  and I never told me  when they access and
>>> for what  my server  to do something,  I try log but this can be erased
>>> and maybe mail can help me about access and with this I can Ask about
>>> this access.
>> Do you really think the other admins would be erasing logs?
> 
> That's what I was thinking. If you don't trust the other admin, then either:
> 
> 1. You need to stop being the admin, or
> 2. The other person needs to stop being the admin.
> 
> This is not a technical problem, it does not need a technical solution.
> It is a human problem and it needs a human solution.
> 
> This sounds nasty. Of course it is nasty - it intended it to be. But it's also 
> true. In 25 years in this game, I have never found the above to be false. 
> Trying to do anything about it is a fool's game and down that path lies 
> madness.

I agree 100% with Alan and it is a log-standing policy of mine that I
will not
share admin responsibilities with someone not on my staff.   Until you put
that in place however, you might consider setting the system syslog to log
to an external system that only you control.  The other admin can turn off
logging but you will know when he's done so.

[gentoo-user] Re: How send mail when user login on ssh or local ?

[James]

Vagner Rodrigues <vagner <at> litrixlinux.org> writes:


> I work with another admin's  and I never told me  when they access and
> for what  my server  to do something,  I try log but this can be erased 
> and maybe mail can help me about access and with this I can Ask about
> this access.


Well, what the others have said rings very true. I'd just add a few things.
If they have had root access on the system(s), and you want to remove them,
it's very difficult (if they are knowledgeable) to do so, no matter what
you do. It would be best to "re-install" that system(s)" just to be safe.
Re installation may be the quickest solution, and brings finality
to a comprimised system problem.


If in the future, should you need to have several folks with extended
privileges, then look into "sudo".  It may or may not be a solution
for your network.


Personally, I like to "divide and conquer"; Split admin responsibilities
across servers, and then one or two principals access/control everything
and everyone.... That way you can document what other admins have done,
with a variety of techniques and when servers are migrated to another
admin, the new admin can document how things work or have been set up,
to the point of training another admin. Often, particularly among the
younger admins, folks do not like to perform a 'knowledge transfer' so
when you switch admins, that situation gets flushed out.....


caveat emptor!


hth,
James

Re: [gentoo-user] Re: How send mail when user login on ssh or local ?

[Alan McKinnon]

On Saturday 01 August 2009 15:35:35 James wrote:
> That way you can document what other admins have done,
> with a variety of techniques and when servers are migrated to another
> admin, the new admin can document how things work or have been set up,
> to the point of training another admin. Often, particularly among the
> younger admins, folks do not like to perform a 'knowledge transfer' so
> when you switch admins, that situation gets flushed out.....

My team has a brilliant solution for this:

A wiki.

You can't start on project #2 till #2 is fully documented. 
Projects #1, #2 and #3 etc are all on our Key Performance Indicators for each 
half-year.
Yearly bonus and salary increase depends only on Performance Appraisal 
interview.
Technical aspects of Performance Appraisal interview depends only on progress 
through your projects.

See where this is going?
No documentation = no knowledge transfer = no wage increase.

:-)

-- 
alan dot mckinnon at gmail dot com

[gentoo-user] Re: How send mail when user login on ssh or local ?

[James]

Alan McKinnon <alan.mckinnon <at> gmail.com> writes:


> See where this is going?
> No documentation = no knowledge transfer = no wage increase.


Well, these days, I work in smaller circles, but, I like your 
ideas. I pretty much do the same thing with consultants, 
contracts and money....

<wink...nod...giggle....>



James