#!/usr/bin/ksh set -o nolog -u -h +a +o bgnice +e -m # Bmon is intended to capture some information about whatever site is # twisting my doorknob. It is probably higher overhead than I need, # but ... # # From "Practical Unix & Internet Security" by Simson Garfinkle and # Gene Spafford (O'Reilly & Associates, 1996). export PATH=/usr/ucb:/usr/bin:/bin:/usr/etc:/etc # Create /tmp/root in case it doesn't exist. mkdir -p /tmp/root print "Subject: Notice\nFrom: operator\n\n$@" | /usr/lib/sendmail root typeset daemon="$1" status="$2" client="$3" pid=$4 addr=$5 host=$6 user=$7 # For most things, we simply want a notice. # Unsuccessful attempts are warnings # Unsuccessful attempts on special accounts merit an alert typeset level=notice [[ $status != allow ]] && level=warning [[ $daemon = in.@(rshd|rlogind) && $user = @(root|security) ]] && level=alert /usr/bin/logger -t Bmon -p auth.$level "$*" & umask 037 function mktemp { typeset temp=/tmp/root/security-log.$$ typeset -Z3 suffix=0 while [[ -a $temp.$suffix ]] do let suffix+=1 done logfile=$temp.$suffix chgrp staff $logfile } logfile=/tmp/root/security-log function Indent { sed -e 's/^/ /' >> $logfile } exec 3>&1 >>$logfile 2>&1 date print "Remote host: $host Remote user: $user" print "" print "Local processes:" ps axg | Indent print "" print "Local network connections:" netstat -n -a -f inet | Indent print "" print "Finger of $host" finger -s @$host | Indent print "" [[ $user != unknown ]] && finger -h -p -m $user@$host | Indent exec >> /tmp/root/daemon.log 2>&1 print "-------------------------" print "\npid=$pid client=$client addr=$addr user=$user" print Details in $logfile date print "" # Now bring up an alert box on the admin's workstation { print "\ndaemon=$daemon client=$client addr=$addr user=$user" print Details in $logfile date print "" print -n "(press return to close window.)" } > /tmp/root/alert.$$ integer lines=$(wc -l < /tmp/root/alert.$$ | tr -d ' ') xterm -fg white -bg red -fn 9x15 -T "ALERT" -fn 9x15B\ -geom 60x$lines+20+20 -e sh -c "cat /tmp/root/alert.$$; read nothing" /bin/rm /tmp/root/alert.$$