Sample of Hobbit server-side module (was: Who Test)

Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root'
trigger to Hobbit's LOG monitor against /var/log/messages or
/var/log/secure.  For example, on Fedora Core 6, you get  these tell-tale
entries in /var/log/secure. The first was failed attempt while the 2nd is
successful attempt.

Jan 28 08:37:14 box1 su: pam_unix(su-l:auth): authentication failure;
logname=joe uid=500 euid=0 tty=pts/0 ruser=joe rhost=  user=root
Jan 28 08:37:19 box1 su: pam_unix(su-l:session): session opened for user
root by joe(uid=500)

If these entries got forwarded to a remote syslog server, the trigger would
be much less vulnerable to tempering.

On 1/28/07, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:

On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:

On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:

I have noticed that the client collects all of the data and then the
server
"tests" the condition.

How would I go about writing a who script that would tell me when
someone is
logged in as root?

For someone familiar with Perl, I think it should be fairly
straight-forward.

I'm not familiar with Perl at all, but a couple of hours work produced
this, which appears to work fine. I'll include it as a sample of how to
hook into the Hobbit server-side channels.

To use it, put it in your ~hobbit/server/ext/ directory, and add this to
your hobbitlaunch.cfg on your server:

[rootlogin]
        ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg
        NEEDS hobbitd
        CMD hobbitd_channel --channel=client
--log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl


Regards,
Henrik