#!/bin/ksh

###
## rootmonitor
## Root Login Script
##
## Monitors root logins via the su command and
## directly at the console.
## Notifies via email.
##
## Usage: Execute from crontab every 15 minutes
## 14,29,44,59 * * * * /opt/admin/scripts/rtlgn.sh > /dev/null
##
## Dependencies: None
## Outputs: Email
##
## Submitter: Gideon Rasmussen
## Submitter Email: gideon@infostruct.net
## *************************************************************
PATH=/usr/bin:/usr/sbin:/usr/ucb:/bin
SRVNM=`uname -n`
DATE=`date '+%m/%d'`
DAY=`date '+%d'`
HOUR=`date '+%H'`
MONTH=`date '+%m'`
MIN=`date '+%M'`

LOGDIR=/var/adm/log/rtlgn
DATFILE=$LOGDIR/rtlgn.dat

if [ ! -d $LOGDIR ] ; then
mkdir -p $LOGDIR
touch $DATFILE
fi

# Clean out the dat file each day

if [ $HOUR -eq "00" ]; then

if [ $MIN -lt "15" ]; then
> $DATFILE
fi

fi


# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=monitor

# Check for remote root login (should never happen)
# Check on tctest
#who

# Check for recent root console login
# Determine if notification has been sent this hour
if [ `grep -c "$DATE $HOUR CONSOLE" $DATFILE` -eq 0 ]
then
if [ `last root console | grep -c "$MONTH $DAY $HOUR" ` -gt 0 ]
then

mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Root Console Login $SRVNM

A root console login has occurred:

`last root console | grep "$MONTH $DAY $HOUR"`

EOF

# Ensure notification only occurs once per hour
print "$DATE $HOUR CONSOLE" >> $DATFILE

fi
fi

# Check for recent su to root
# Determine if notification has been sent this hour
if [ `grep -c "$DATE $HOUR SU" $DATFILE ` -lt 1 ]
then

if [ `grep "$DATE $HOUR" /var/adm/sulog | grep -v root- | grep root |
grep -c "+" ` -gt 0 ]
then

mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Root Access on $SRVNM

The following root login has occurred:

`grep "$DATE $HOUR" /var/adm/sulog | grep root | grep "+"`

EOF

# Ensure notification only occurs once per hour
print "$DATE $HOUR SU" >> $DATFILE

fi
fi

exit 0