I am looking for a tool that monitors my system and informs me when a user logs in... someone attempts to login, etc. I know I can create a cron job to check "who" or "w" every so often but I was wondering if anyone was aware of a more proactive approach and/or tool.
asked 10 Jun '10, 15:10
Depending on what kind of notification you're looking for, whowatch should accomplish what you'd like:
answered 10 Jun '10, 15:17
You can put the following script into .bashrc of the user you intend to monitor. It alerts via email only on a successful attempt. This is especially useful for the root account.
echo 'ALERT - Shell Access on:'
Replace admin@domain with the email address of user who is to receive the update.
Alternatively, you can use logwatch which parses through your system's logs and creates a report analyzing areas that you specify.
answered 11 Jun '10, 01:35
Description: The GNU Accounting utilities for process and login accounting GNU Accounting Utilities is a set of utilities which reports and summarizes data about user connect times and process execution statistics.
"Login accounting" provides summaries of system resource usage based on connect time, and "process accounting" provides summaries based on the commands executed on the system.
The 'last' command is provided by the sysvinit package and not included here. Homepage: http://www.gnu.org/software/acct/
answered 12 Aug '10, 01:46
You can have a script tail the secure log file, and take action based on that info.
Not sure how proactive you're looking for.
answered 10 Jun '10, 20:43
you might want to check-out a proper auditing system, like Linux Audit & IDS (http://people.redhat.com/sgrubb/audit/), these kind of solutions might take a little more to configure but they are definitely the most complete and precise ones. the above link refers to the Fedora contributed package, but I've read that it's based on features found in Kernel 2.6 anyway
answered 11 Jun '10, 09:06