OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [discuss] Looking for input from others.

From: Jordan T. (mandrake-discussblue-ferret.com.au)
Date: Sat Dec 27 2003 - 05:52:37 CST

Doh, minor error...

$user = `echo $USER/$USERNAME`;
should be
$user = `echo \$USER/\$USERNAME`;

Jordan.

On Sat, 2003-12-27 at 19:40, Jordan T. wrote:
> I just compiled & installed pam-scripts, works a treat!
> here is the script i used for logins.
>
> /etc/security/onsessionopen:
>
> #!/usr/bin/perl
>
> $contact = "jordan\blue-ferret.com.au";
> $fromaddr = "logincheck\blue-ferret.com.au";
> $hostname = `/bin/hostname`;
> $user = `echo $USER/$USERNAME`; #old user / new user (if su'd)
> who = `/usr/bin/who am i`;
> w = `/usr/bin/w`;
> $date = `/bin/date`;
> $groups = `/usr/bin/groups`;
> chomp($hostname);
> chomp($date);
> chomp($user);
> chomp($groups);
>
> open SENDMAIL, "|/usr/sbin/sendmail -t" or
> die "Cannot open sendmail: $!\n";
> print SENDMAIL "TO: $contact\n";
> print SENDMAIL "FROM: Login Checker <$fromaddr>\n";
> print SENDMAIL "Subject: User $user logged in on $hostname\n";
> print SENDMAIL "Hostname $hostname\n";
> print SENDMAIL "Date: $date\n";
> print SENDMAIL "User: $user\n";
> print SENDMAIL "Groups: $groups\n";
> print SENDMAIL "Who Output: who\n";
> print SENDMAIL "W Output: w\n";
> close SENDMAIL or die "Cannot close sendmail: $!\n";
>
>
> If you want you could also copy it to /etc/security/onsessionclose and
> change "logged in" to "logged out" in the subject line, to see when
> users logout too, with further tinkering, you could even make it send
> you the users .bash_history on logout to see what they typed (could be a
> security risk sending it in email (ascii) though)
>
> Jordan.
>
> On Sat, 2003-12-27 at 15:31, tek wrote:
> > On 27 Dec 2003 11:50:15 +0800, Jordan T. wrote
> > > This is a nice idea, but putting it in /root/.bashrc could be easy
> > > enough to evade (dont use bash)
> >
> > ok, but how can they change the shell before they log in as root.
> > not saying it cant be done, it probably can, just not sure how, guess i
> > could put this in all of the shells on the system for root.
> >
> > >, and if someone logs in as a
> > > non-root user and escalates privileges then roots bashrc
> > > wouldn't always be executed.
> >
> > well su'ing does execute it although if they are doing it via some
> > exploit and priviledge escalation then im not as sure. I would love to
> > test it out if anyone has some ideas on this.
> >
> > >
> > > A better way of doing this would be to use a log monitoring daemon
> > >
> >
> > well logcheck and the like only run at 4am. so far other than swatch i
> > havent seen anything that would perform in realtime, which was my goal.
> >
> > > (theres plenty out there) on /var/log/messages where pam logs
> > > all logins for all users and services whether they are
> > > successful or otherwise.
> > >
> > > A simple daemon could be written in bash that uses tail and
> > > grep to trigger mail, you could go one further by using perl
> > > and inbuilt functions and even further by writing your own
> > > daemon in C.
> >
> > way beyond my very simple scripting skill's but i like the idea.
> > i have used swatch, lads, logcheck and portsentry and each has their
> > place. i probably need to spend more time with swatch and lads i have
> > got them installed but never gotten real comfortable with them and have
> > never gotten any realtime info out of them so far.
> > Tnt
> >
> >
> > >
> > > Jordan.
> > >
> > > On Sat, 2003-12-27 at 11:17, tek wrote:
> > > > On Fri, 26 Dec 2003 19:33:44 -0700, Another Happy Linux User wrote
> > > > > Hi,
> > > > >
> > > > > I missed this, thie firstitme through, but saw it this time.
> > > > > I plan to try this, on a number of boxes in the home/LAN &
> > firewall.
> > > >
> > > > Cool, just know you have to have postfix or some mailserver of some
> > kind
> > > > running for it to work.
> > > >
> > > > i would like to find a better way to know how they connected but so
> > far
> > > > netstat is the only thing i have found that gives me that info each
> > > > time, sending the last 10-50 lines of logs doesnt show the
> > connection
> > > > info and all i really want is the IP but netstat shows more than
> > what is
> > > > needed which might be better in the end anyway.
> > > > Tnt
> > > >
> > > > >
> > > > > Thanks.
> > > > >
> > > > > Jorgen
> > > > > ve5jorrac.ca
> > > > >
> > > > > On Friday 26 December 2003 05:29 pm, tek wrote:
> > > > > > Along time ago i came up with a way to boobytrap root logins so
> > they
> > > > > > generated and email offsystem, initially i was going to have
> > these
> > > > going
> > > > > > to my cellphone via sms messages but in going back over my
> > little
> > > > > > boobytrap i have found myself asking if anyone else is doing
> > > > anything
> > > > > > like this and if so what are they doing and if its different,
> > how?
> > > > > ........
> > > >
> > > >
> > > > --
> > > > o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
> > > > | Linux Solutions Provider, Linux Consultant and IT Services. |
> > > > 0 Windows to Linux Migration Specialists 0
> > > > | http://www.pervasivenetwerks.com |
> > > > o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
> > > > PGP Key Fingerprint
> > > > AA05 B115 5019 754A A151 04F2 822D A1C9 EAB6 AA5B
> >
> >
> > --
> > o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
> > | Linux Solutions Provider, Linux Consultant and IT Services. |
> > 0 Windows to Linux Migration Specialists 0
> > | http://www.pervasivenetwerks.com |
> > o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
> > PGP Key Fingerprint
> > AA05 B115 5019 754A A151 04F2 822D A1C9 EAB6 AA5B