SYNOPSYS

I hope to know if someone logs into my server, or does a successful su, … lukcily pam has a pam_exec module

PROCEDURE

/etc/pam.d/common-session 

1
2

...
session optional            pam_exec.so /usr/local/bin/notify-login

/usr/local/bin/notify-login 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

#!/bin/sh
[ "$PAM_TYPE" = "open_session" ] || exit 0
WHITE_IPS="..."
RHOST_IP="${PAM_RHOST%%.*}"
for IP in $WHITE_IPS; do
    [ "x$IP" = "x$RHOST_IP" ] && exit 0
done
{
    echo "User: $PAM_USER"
    echo "Ruser: $PAM_RUSER"
    echo "Rhost: $PAM_RHOST"
    echo "Service: $PAM_SERVICE"
    echo "TTY: $PAM_TTY"
    echo "Date: `date`"
    echo "Server: `uname -a`"
} | mail -s "`hostname -s` $PAM_SERVICE login: $PAM_USER" root@localhost