Since root should not have direct log in access via SSH and we have set up our user to use sudo, root should get logged into very rarely. In an effort to alert the System Administrator when someone logs into root, I have set up my system to send out an email on root log in.
- Log in as root
su -
- Change to the root user’s home directory
cd ~
- Edit the root user’s .bashrc file (in this example I use nano, but using vi, emacs, pico, etc. is fine)
nano .bashrc
- Add the following block of code to the end of .bashrc. This will send an email to example@example.com (change as appropriate)
echo 'ALERT - Root Shell Access () on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" example@example.com
- When root logs in you will receive a message similar to this
ALERT - Root Shell Access () on: Tue Jun 16 11:04:10 CDT 2009 user123 pts/0 2009-06-16 11:04
Word of warning: Send this to an email account that is not hosted on the same machine. If someone can log into root, they can see mail spools on the entire server. It would be a trivial matter to delete this message from the spool so the real System Administrator never sees this message.
#1 by Shishka on February 12, 2010 - 3:06 am
Quote
Thank you! I added this page to bookmark. I think would be useful …
#2 by cinema on March 6, 2010 - 10:43 pm
Quote
Nice article. Would be grateful for any other information concerning this topic. Thanks!
#3 by natasha on March 12, 2010 - 4:07 am
Quote
thank you! Nice blog!
#4 by Snaky on March 5, 2011 - 11:32 am
Quote
FAIL!!!
did you ever read about –noprofile and –norc options for bash???