Sysadmin tricks: Get an alert when users log in

Penetration Testing Wiki

Sysadmin tricks: Get an alert when users log in

For some critical machines when it is not usual that users login through SSH or execute SU to become superuser, we can use PAM module configuration to receive some kind of alert whenever a user logs into that machine or escalates privileges to root.

Two options here:

  • /etc/pam.d/su: To receive alerts everytime a user becomes root
  • /etc/pam.d/sshd: To receive alerts everytime a user logs in successfully in this machine

Whatever option you choose, you will have to add the following line at the end of that file.

session optional pam_exec.so /usr/local/bin/mail-login.php

The script mail-login.php looks pretty simple:

#!/usr/bin/php
<?php
mail("[email protected]", "login successful", "User: ".system("id")."\n\nIP: ".system("w -h | awk '{print $3}'")."\n\n".system("last"));
exit(0);

 

Leave a Reply

Your email address will not be published. Required fields are marked *