Who Test
list Richard Leon
I have noticed that the client collects all of the data and then the server "tests" the condition. How would I go about writing a who script that would tell me when someone is logged in as root? Thanks Richard
list Stef Coene
▸
On Saturday 27 January 2007 00:51, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition. How would I go about writing a who script that would tell me when someone is logged in as root?
You can also write client tests. The bb command is used to send the status to the server. It's up to you to write the actual test. There is an entry in the FAQ section about this: http://www.hswn.dk/hobbit/help/hobbit-tips.html#scripts Stef
list Henrik Størner
▸
On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:
I have noticed that the client collects all of the data and then the server "tests" the condition. How would I go about writing a who script that would tell me when someone is logged in as root?
For a server-side script, you'll be hooking into the Hobbit "client" channel. You do that by running hobbitd_channel --channel=client MYSCRIPT through an extra section in the hobbitlaunch.cfg file. You can also run it by hand (eg for testing your script), then you must be logged in as the "hobbit" user and then run it via "bbcmd" like this: bbcmd hobbitd_channel --channel=client MYSCRIPT Your script will be getting the full client message, which looks like this: @@client#660157/osiris.hswn.dk|1169886036.071499|172.28.50.141|osiris.hswn.dk|linux|linux [uptime] 09:21:06 up 4 days, 6:53, 1 user, load average: 0.03, 0.06, 0.01 [date] Sat Jan 27 09:21:15 CET 2007 [who] henrik :0 2007-01-23 04:04 <lots more section> @@ (Just to see what it looks like, try running bbcmd hobbitd_channel --channel=client cat which just dumps the client data to the terminal). Each message begins with a line with "@@client...." and ends with a "@@" line. In between those two is a series of sections marked with "[SECTION]", you just need to grab the "[who]" section and scan it for a "root" login. When you've scanned a section, generate a status message (green or red) and send it to Hobbit - the hostname of the client reporting this data is in the "@@client..." line, as the fourth field (delimited by '|' signs). For someone familiar with Perl, I think it should be fairly straight-forward. Regards, Henrik
list Henrik Størner
▸
On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:
On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:I have noticed that the client collects all of the data and then the server "tests" the condition. How would I go about writing a who script that would tell me when someone is logged in as root?For someone familiar with Perl, I think it should be fairly straight-forward.
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels. To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server: [rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl Regards, Henrik
Attachments (1)
list Jerry Yu
Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root' trigger to Hobbit's LOG monitor against /var/log/messages or /var/log/secure. For example, on Fedora Core 6, you get these tell-tale entries in /var/log/secure. The first was failed attempt while the 2nd is successful attempt. Jan 28 08:37:14 box1 su: pam_unix(su-l:auth): authentication failure; logname=joe uid=500 euid=0 tty=pts/0 ruser=joe rhost= user=root Jan 28 08:37:19 box1 su: pam_unix(su-l:session): session opened for user root by joe(uid=500) If these entries got forwarded to a remote syslog server, the trigger would be much less vulnerable to tempering.
▸
On 1/28/07, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:I have noticed that the client collects all of the data and then the server "tests" the condition. How would I go about writing a who script that would tell me when someone is logged in as root?For someone familiar with Perl, I think it should be fairly straight-forward.I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels. To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server: [rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl Regards, Henrik
list Henrik Størner
▸
On Sun, Jan 28, 2007 at 08:42:34AM -0500, Jerry Yu wrote:
Why reinvent the wheel ;) An easier way may be just to add a 'who-got-root' trigger to Hobbit's LOG monitor [...]
It wasn't so much to implement the "is root logged in" check as to show how server-side modules can be implemented. The check for an active root login is just what got me into writing this sample code. Regards, Henrik
list Jerry Yu
ah, the server side extension. great, now I know how to extend on the server side.
▸
On 1/28/07, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:On Sun, Jan 28, 2007 at 08:42:34AM -0500, Jerry Yu wrote:Why reinvent the wheel ;) An easier way may be just to add a'who-got-root'trigger to Hobbit's LOG monitor [...]It wasn't so much to implement the "is root logged in" check as to show how server-side modules can be implemented. The check for an active root login is just what got me into writing this sample code. Regards, Henrik
list Gildas le Nadan
Hi Henrik, Will this example be included in the next release or in the FAQ/documentation? I think this is worth it! (I might even have to reconsider the way I'm aggregating clients values for my ganglia-like output *grumble*) Cheers, Gildas
▸
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels. To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server: [rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl Regards, Henrik
list Henrik Størner
▸
On Mon, Jan 29, 2007 at 02:01:06PM +0000, Gildas Le Nadan wrote:
Hi Henrik, Will this example be included in the next release or in the FAQ/documentation?
I'll include it with the next release. There's already a hobbitd_sample.c file showing how to use the Hobbit channels from a C program, so it fits in well with this. Regards, Henrik
list Richard Leon
Am I missing something? The rootlogin.pl is not working . Here is the log PID 20669, cause Bad file number 2007-01-29 12:53:49 Our child has failed and will not talk to us: Channel client, PID 20669, cause Bad file number 2007-01-29 12:54:04 Our child has failed and will not talk to us: Channel client, PID 20669, cause Bad file number Thanks Richard
▸
-----Original Message-----
From: Henrik Stoerner [mailto:user-ce4a2c883f75@xymon.invalid]
Sent: Sunday, January 28, 2007 6:48 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] Sample of Hobbit server-side module (was: Who Test)
On Sat, Jan 27, 2007 at 09:29:12AM +0100, Henrik Stoerner wrote:On Fri, Jan 26, 2007 at 05:51:49PM -0600, Richard Leon wrote:I have noticed that the client collects all of the data and then the server "tests" the condition. How would I go about writing a who script that would tell me when someone is logged in as root?For someone familiar with Perl, I think it should be fairly straight-forward.
I'm not familiar with Perl at all, but a couple of hours work produced this, which appears to work fine. I'll include it as a sample of how to hook into the Hobbit server-side channels. To use it, put it in your ~hobbit/server/ext/ directory, and add this to your hobbitlaunch.cfg on your server: [rootlogin] ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg NEEDS hobbitd CMD hobbitd_channel --channel=client --log=$BBSERVERLOGS/rootlogin.log $BBHOME/ext/rootlogin.pl Regards, Henrik
list Henrik Størner
In <001e01c743d6$a5c32340$user-05df8fc2c591@xymon.invalid> "Richard Leon" <user-a4b45fb5dd94@xymon.invalid> writes:
Am I missing something? The rootlogin.pl is not working .
Can you run it by hand ? Do this BB=/bin/echo BBDISP=0.0.0.0 ~hobbit/server/ext/rootlogin.pl and feed it this input: ---- cut here ---- @@client#12345/localhost|1169985951.340108|10.0.0.152|localhost|sunos|sunos [who] hstoerne pts/0 Jan 28 00:07 (from somewhere) root ttyS0 Nov 1 11:13 @@ ---- end of input ---- It should yield this output: 0.0.0.0 status localhost.login red ROOT login active &red ROOT login detected! hstoerne pts/0 Jan 28 00:07 (from somewhere) root ttyS0 Nov 1 11:13 I suspect it's something silly like your perl being in /usr/local/bin instead of /usr/bin (adjust the first line of the script if that is the case). Henrik
list Chris Morris
The script works but is generating this message in the log :- Use of uninitialized value in concatenation (.) at /usr/local/hobbit/server/ext/rootlogin.pl line 76, <STDIN> line 841341. Any ideas? Thanks, Chris
▸
-----Original Message----- From: Henrik Stoerner [SMTP:user-ce4a2c883f75@xymon.invalid] Sent: Monday, January 29, 2007 10:17 PM To: user-ae9b8668bcde@xymon.invalid Subject: Re: [hobbit] Sample of Hobbit server-side module (was: Who Test) In <001e01c743d6$a5c32340$user-05df8fc2c591@xymon.invalid> "Richard Leon" <user-a4b45fb5dd94@xymon.invalid> writes:Am I missing something? The rootlogin.pl is not working .Can you run it by hand ? Do this BB=/bin/echo BBDISP=0.0.0.0 ~hobbit/server/ext/rootlogin.pl and feed it this input: ---- cut here ----
@@client#12345/localhost|1169985951.340108|10.0.0.152|localhost|sunos|suno
s
▸
[who]
hstoerne pts/0 Jan 28 00:07 (from somewhere)
root ttyS0 Nov 1 11:13
@@
---- end of input ----
It should yield this output:
0.0.0.0 status localhost.login red ROOT login active
&red ROOT login detected!
hstoerne pts/0 Jan 28 00:07 (from somewhere)
root ttyS0 Nov 1 11:13
I suspect it's something silly like your perl being in /usr/local/bin instead of /usr/bin (adjust the first line of the script if that is
the case).
Henrik
****************************************************************************
Make a New Year's resolution to get your heating equipment checked. If you don't you could be adding as much as 10% to your heating bill without knowing it.
Source: Carbon Trust (2006)
****************************************************************************
This e-mail is provided for general information purposes only and does not constitute investment or transactional advice. For the avoidance of doubt the contents of this email are subject to contract and will not constitute a legally binding contract.
The information contained in this email is intended only for the use of the intended recipient at the email address to which it has been addressed. If the reader of this message is not an intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination or copying of the message or associated attachments is strictly prohibited.
If you have received this e-mail in error, please notify user-874c4fade580@xymon.invalid (UK 01384 275454) and delete it immediately from your system.
Neither Npower nor any of the other companies in the RWE Npower group from whom this e-mail originates accept any responsibility for losses or damage as a result of any viruses and it is your responsibility to check attachments (if any) for viruses.
RWE Npower plc Registered office: Windmill Hill Business Park, Whitehill Way, Swindon SN5 6PB. Registered in England and Wales: number 3892782. This e-mail may be sent on behalf of a member of the RWE Npower group of companies.
*****************************************************************************
list Greg L Hubbard
That is a normal Perl gripe if you use one of the pragmas (use strict; use warning) or have the -w switch in the first line. Without this stuff, Perl silently "handles" this condition -- Perl was not always militant about having variables predeclared and initialized prior to first use. GLH
▸
-----Original Message-----
From: Morris, Chris (SS-IS) [mailto:user-7c3d847d296d@xymon.invalid]
Sent: Tuesday, January 30, 2007 5:04 AM
To: 'user-ae9b8668bcde@xymon.invalid'
Subject: RE: [hobbit] Sample of Hobbit server-side module (was: Who
Test)
The script works but is generating this message in the log :-
Use of uninitialized value in concatenation (.) at
/usr/local/hobbit/server/ext/rootlogin.pl line 76, <STDIN> line 841341.
Any ideas?
Thanks,
Chris
-----Original Message----- From: Henrik Stoerner [SMTP:user-ce4a2c883f75@xymon.invalid] Sent: Monday, January 29, 2007 10:17 PM To: user-ae9b8668bcde@xymon.invalid Subject: Re: [hobbit] Sample of Hobbit server-side module (was:
Who
Test) In <001e01c743d6$a5c32340$user-05df8fc2c591@xymon.invalid> "Richard Leon" <user-a4b45fb5dd94@xymon.invalid> writes:Am I missing something? The rootlogin.pl is not working .Can you run it by hand ? Do this BB=/bin/echo BBDISP=0.0.0.0 ~hobbit/server/ext/rootlogin.pl and feed it this input: ---- cut here ----
@@client#12345/localhost|1169985951.340108|10.0.0.152|localhost|sunos|
suno
▸
s
[who]
hstoerne pts/0 Jan 28 00:07 (from somewhere)
root ttyS0 Nov 1 11:13
@@
---- end of input ----
It should yield this output:
0.0.0.0 status localhost.login red ROOT login active
&red ROOT login detected!
hstoerne pts/0 Jan 28 00:07 (from somewhere)
root ttyS0 Nov 1 11:13
I suspect it's something silly like your perl being in /usr/local/bin
instead of /usr/bin (adjust the first line of the script if that is
the case).
Henrik
************************************************************************
****
Make a New Year's resolution to get your heating equipment checked. If
you don't you could be adding as much as 10% to your heating bill
without knowing it.
Source: Carbon Trust (2006)
************************************************************************
****
This e-mail is provided for general information purposes only and does
not constitute investment or transactional advice. For the avoidance of
doubt the contents of this email are subject to contract and will not
constitute a legally binding contract.
The information contained in this email is intended only for the use of
the intended recipient at the email address to which it has been
addressed. If the reader of this message is not an intended recipient,
you are hereby notified that you have received this document in error
and that any review, dissemination or copying of the message or
associated attachments is strictly prohibited.
If you have received this e-mail in error, please notify
user-874c4fade580@xymon.invalid (UK 01384 275454) and delete it immediately from
your system.
Neither Npower nor any of the other companies in the RWE Npower group
from whom this e-mail originates accept any responsibility for losses or
damage as a result of any viruses and it is your responsibility to check
attachments (if any) for viruses.
RWE Npower plc Registered office: Windmill Hill Business Park, Whitehill
Way, Swindon SN5 6PB. Registered in England and Wales: number 3892782.
This e-mail may be sent on behalf of a member of the RWE Npower group of
companies.
************************************************************************
*****
list Henrik Størner
▸
On Tue, Jan 30, 2007 at 11:03:56AM -0000, Morris, Chris (SS-IS) wrote:
The script works but is generating this message in the log :- Use of uninitialized value in concatenation (.) at /usr/local/hobbit/server/ext/rootlogin.pl line 76, <STDIN> line 841341.
Like I said, I'm not a Perl programmer :-) I cannot see what would be unitialized in that line. Regards, Henrik
list Greg L Hubbard
Perl gripes when you set a variable to "" and then use it in a concatenation. One workaround is to use the -w switch and the "strict" pragma during development, then turn them off in production to reduce the noise. GLH
▸
-----Original Message-----
From: Henrik Stoerner [mailto:user-ce4a2c883f75@xymon.invalid]
Sent: Tuesday, January 30, 2007 10:49 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Sample of Hobbit server-side module (was: Who
Test)
On Tue, Jan 30, 2007 at 11:03:56AM -0000, Morris, Chris (SS-IS) wrote:The script works but is generating this message in the log :- Use of uninitialized value in concatenation (.) at /usr/local/hobbit/server/ext/rootlogin.pl line 76, <STDIN> line
841341. Like I said, I'm not a Perl programmer :-) I cannot see what would be unitialized in that line. Regards, Henrik
list Richard Leon
I have had it running the "Who Test" for about a day now. And half of my systems have gone to purple. I have logged in as root and they system is still reporting a purple state.
list Massimo Morsiani
Hi all,
I successfully installed Hobbit client on our AIX servers.
And I want to monitor some critical processes.
Below you can find a portion of my hobbit-clients.cfg related to one of these servers.
HOST=proge.flr.gilbarco.com
MEMSWAP 70 85
PROC /opt/rational/clearcase/etc/albd_server 1 1 red
PROC /opt/rational/clearcase/etc/lockmgr 1 1 red
PROC vob_server 1 50 red TRACK=vob_server "TEXT=ClearCase VOB server"
DIR /opt/freeware/libexec/hobbit TRACK
DIR /hobbitclient TRACK
The problem is that TRACK seems not working anymore. Neither for PROC rule, nor for DIR rule.
I have no graph at all. Why?
Regards.
Massimo Morsiani
Information Technology Dept.
Gilbarco S.p.a.
via de' Cattani, 220/G
50145 Firenze
tel: +XX-XXX-XXXXX
fax: +XX-XXX-XXXXXX
email: user-32025d8bd22e@xymon.invalid
web: http://www.gilbarco.it
▸
-----Original Message-----
From: Henrik Stoerner [mailto:user-ce4a2c883f75@xymon.invalid] Sent: martedì 30 gennaio 2007 17.49
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Sample of Hobbit server-side module (was: Who Test)
On Tue, Jan 30, 2007 at 11:03:56AM -0000, Morris, Chris (SS-IS) wrote:The script works but is generating this message in the log :- Use of uninitialized value in concatenation (.) at /usr/local/hobbit/server/ext/rootlogin.pl line 76, <STDIN> line 841341.
Like I said, I'm not a Perl programmer :-) I cannot see what would be unitialized in that line. Regards, Henrik
This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately.
list Henrik Størner
▸
On Tue, Jan 30, 2007 at 11:15:08AM -0600, Richard Leon wrote:
I have had it running the "Who Test" for about a day now. And half of my systems have gone to purple. I have logged in as root and they system is still reporting a purple state.
The version I posted had a bug, so if there were no users logged in, it
would not update the status - and it would go purple after half an hour.
The quick fix is to change
# Start of new message section.
$cursection = $1;
$sections{ $cursection } = "";
to
# Start of new message section.
$cursection = $1;
$sections{ $cursection } = "\n";
i.e. put a "\n" into the $sections.... variable.
Henrik
list Jason Altrincham Jones
Where are these rules in relation to the default settings? Hobbit only takes the first matching rule so they must be above the default. Jason.
▸
-----Original Message----- From: Morsiani, Massimo [mailto:user-32025d8bd22e@xymon.invalid] Sent: 30 January 2007 19:09 To: user-ae9b8668bcde@xymon.invalid Subject: [hobbit] hobbit-clients.cfg TRACK tag issues Hi all, I successfully installed Hobbit client on our AIX servers. And I want to monitor some critical processes. Below you can find a portion of my hobbit-clients.cfg related to one of these servers. HOST=proge.flr.gilbarco.com MEMSWAP 70 85 PROC /opt/rational/clearcase/etc/albd_server 1 1 red PROC /opt/rational/clearcase/etc/lockmgr 1 1 red PROC vob_server 1 50 red TRACK=vob_server "TEXT=ClearCase VOB server" DIR /opt/freeware/libexec/hobbit TRACK DIR /hobbitclient TRACK The problem is that TRACK seems not working anymore. Neither for PROC rule, nor for DIR rule. I have no graph at all. Why? Regards. Massimo Morsiani Information Technology Dept. Gilbarco S.p.a. via de' Cattani, 220/G 50145 Firenze tel: +XX-XXX-XXXXX fax: +XX-XXX-XXXXXX email: user-32025d8bd22e@xymon.invalid web: http://www.gilbarco.it
list Massimo Morsiani
Hi Jason, reported rules are above the default rules section in my hobbit-clients.cfg.
▸
Regards. Massimo Morsiani Information Technology Dept. Gilbarco S.p.a. via de' Cattani, 220/G 50145 Firenze tel: +XX-XXX-XXXXX fax: +XX-XXX-XXXXXX email: user-32025d8bd22e@xymon.invalid web: http://www.gilbarco.it -----Original Message----- From: Jones, Jason (Altrincham) [mailto:user-ee957b46acd2@xymon.invalid] Sent: mercoledì 31 gennaio 2007 9.55 To: user-ae9b8668bcde@xymon.invalid Subject: RE: [hobbit] hobbit-clients.cfg TRACK tag issues Where are these rules in relation to the default settings? Hobbit only takes the first matching rule so they must be above the default. Jason. -----Original Message----- From: Morsiani, Massimo [mailto:user-32025d8bd22e@xymon.invalid] Sent: 30 January 2007 19:09 To: user-ae9b8668bcde@xymon.invalid Subject: [hobbit] hobbit-clients.cfg TRACK tag issues Hi all, I successfully installed Hobbit client on our AIX servers. And I want to monitor some critical processes. Below you can find a portion of my hobbit-clients.cfg related to one of these servers. HOST=proge.flr.gilbarco.com MEMSWAP 70 85 PROC /opt/rational/clearcase/etc/albd_server 1 1 red PROC /opt/rational/clearcase/etc/lockmgr 1 1 red PROC vob_server 1 50 red TRACK=vob_server "TEXT=ClearCase VOB server" DIR /opt/freeware/libexec/hobbit TRACK DIR /hobbitclient TRACK The problem is that TRACK seems not working anymore. Neither for PROC rule, nor for DIR rule. I have no graph at all. Why? Regards. Massimo Morsiani Information Technology Dept. Gilbarco S.p.a. via de' Cattani, 220/G 50145 Firenze tel: +XX-XXX-XXXXX fax: +XX-XXX-XXXXXX email: user-32025d8bd22e@xymon.invalid web: http://www.gilbarco.it This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately.