Mail alert on root shell access

[walo]

This script send a email when someone access in shell root account

Copy this script at the end of /root/.bashrc file. Leave blank line at the end

TMLFILE=/tmp/alert.tmp.file
lip=`cat /etc/sysconfig/network-scripts/ifcfg-eth0 | grep IPADDR | cut -d'=' -f2`
vip=`netstat -na | grep $lip:22 | cut -d':' -f8`
host=`cat /usr/local/directadmin/conf/directadmin.conf | grep servername | cut -d'=' -f2`
subject="[ALERT] Access root on "$host
echo "Alert access root on "$host > $TMLFILE
echo "---------------------------------------------------" >> $TMLFILE
echo "" >> $TMLFILE
echo "On server: "$host" ("$lip")" >> $TMLFILE
echo "From: "$vip >> $TMLFILE
echo "Date: `date`" >> $TMLFILE

mail -s "$subject" [COLOR=red][email protected][/COLOR] < $TMLFILE

rm -f $TMLFILE

Replace [email protected] with the destination email alert.

Tested on Centos 3.x, 4.x and Fedora 3

 

[ATN Networks]

Hi Walo,

I test it on Fedora 4, 5 and 6.... This script is working great on all versions

 

[bclark94]

Is there a way to tell the difference between an access from ssh or su. Otherwise really great script.

 

[UbiquityClint]

Would be possible, but take a good deal of changing the file.