possible to test against "who"? 🔗 link

Is anyone doing any tests against the "who" test?

I would possibly like to alert if root (linux) or administrator (windows) is logged into a server.

I have never seen this done before nor do I find anything in the docs for analysis.cfg.  With today's heightened security awareness this may be something others would be interested in also.

Thanks,
John
Upcoming PTO:
John Rothlisberger
IT Strategy, Infrastructure & Security - Technology Growth Platform
TGP for Business Process Outsourcing
Accenture
XXX.XXX.XXXX office


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.

www.accenture.com

We actually have a simple perl client script that does this.


=G=


From: Xymon <xymon-bounces at xymon.com> on behalf of Rothlisberger, John R. <user-7adce57665bb@xymon.invalid>
Sent: Thursday, November 9, 2017 11:22 AM
To: 'xymon >> xymon at xymon.com'
Subject: [Xymon] possible to test against "who"?


EXTERNAL

Is anyone doing any tests against the "who" test?

I would possibly like to alert if root (linux) or administrator (windows) is logged into a server.

I have never seen this done before nor do I find anything in the docs for analysis.cfg.  With today's heightened security awareness this may be something others would be interested in also.

Thanks,
John
Upcoming PTO:
John Rothlisberger
IT Strategy, Infrastructure & Security - Technology Growth Platform
TGP for Business Process Outsourcing
Accenture
XXX.XXX.XXXX office


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.

www.accenture.com

You'd need a custom script for it. Pretty simple

$HOST = `hostname`;
$TEST = 'who`;
$COLOR='green';
@users=`who`;

push (@output, "Who Test");

while $user (@users) {
    @user = split (/\s/, $user);
    If ($user[0] eq 'root') {
                $COLOR='red' ;   # or yellow whatever
                # do other stuff for formatting
                push (@output, "\&red");      # built in  icon
   }
   push (@output, $user);
}

if (!open (XYMON, "$ENV{XYMON} $XYMSRV \"status+$StatusTimeout $HOST.$TEST $COLOR @output\" |")) {
                print "$prog: WARNING Can not run $XYMON $XYMSRV\n";
}

    close (XYMON);

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Rothlisberger, John R.
Sent: Thursday, November 09, 2017 10:23 AM
To: 'xymon >> xymon at xymon.com'
Subject: [Xymon] possible to test against "who"?

Is anyone doing any tests against the "who" test?

I would possibly like to alert if root (linux) or administrator (windows) is logged into a server.

I have never seen this done before nor do I find anything in the docs for analysis.cfg.  With today's heightened security awareness this may be something others would be interested in also.

Thanks,
John
Upcoming PTO:
John Rothlisberger
IT Strategy, Infrastructure & Security - Technology Growth Platform
TGP for Business Process Outsourcing
Accenture
XXX.XXX.XXXX office


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.

www.accenture.com<http://www.accenture.com>;
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.