For some critical machines when it is not usual that users login through SSH or execute SU to become superuser, we can use PAM module configuration to receive some kind of alert whenever a user logs into that machine or escalates privileges to root.

Two options here:

  • /etc/pam.d/su: To receive alerts everytime a user becomes root
  • /etc/pam.d/sshd: To receive alerts everytime a user logs in successfully in this machine

Whatever option you choose, you will have to add the following line at the end of that file.

session optional /usr/local/bin/mail-login.php

The script mail-login.php looks pretty simple:

mail("[email protected]", "login successful", "User: ".system("id")."\n\nIP: ".system("w -h | awk '{print $3}'")."\n\n".system("last"));

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply