Tracking root signons in AIX

For AIX is there a way to track root signons and send an email when someone signs on as root ?  Thanks
dananddloAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

woolmilkporcCommented:
Hi,

which way do the "suspects" reach your server? ssh? telnet? console?

In the very first place I'd suggest changing root's password immediately, to significantly reduce the number of persons who can login "legally".

Next I'd suggest denying remote logins for root, or even disabling telnet/rsh etc. as a whole.

So people are urged to use "su", whose use is tracked in /var/adm/sulog or maybe "ssh", where sshd can easily be configured to log all connection attempts.

Of course you can also setup auditing, to track root's (or all) logins.

wmp




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amirs80Commented:
last| grep root
command gives you the status of root signon
and you can send mail command in root profile so that it send the mail on signon
0
woolmilkporcCommented:
OK,
regarding the mail in root's profile - of course you can do that.
I'd assume, however, that a malicious person disposing of root's password will not have any problems to circumvent this.
Anyway, you could add this to root's .profile
who am i | mailx -s "root login at $(/usr/bin/hostname)!"  dananddlo@domain.tld
 
0
dananddloAuthor Commented:
woolmilkporc,
I am new to AIX.  I was told (by IBM) that root doesn't have a .profile file like other users. Where is this located? Thanks for your help!
0
woolmilkporcCommented:
Hi,
OK, root doesn't have a .profile by default, but root is not forbidden to have one (in his home directory) either.
Anyway, we can use the system-wide initialization file /etc/profile as well, but since it's run for all users we need to check whether it's root who logs in.
So you could add to /etc/profile
[ $(id -u) -eq 0 ] && who am i | mailx -s "$(id -u -nr) login at $(hostname)!" dananddlo@domain.tld
Add the above somewhere near the end of /etc/profile and check it out.
wmp
 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.