Just found this tip yesterday and thought it maybe useful to others wanting to know when someone logs in as root through ssh, GDM, console or when a normal user `su` to root. When they do this it will send an email straight away:

In /root/.bashrc file at the end put in this command, and edit the (HOSTNAME) with the name of the machine, and you@yourdomain with the email address you wish the mail to be sent to:



I have tried this on one of my machines and it works like a treat.

Thanks for sharing a tip. Not wanting to slag you off, but...
when someone logs in as root through ssh, GDM, console or when a normal user `su` to root
...root login through ssh should be disallowed, period. If you want to achieve the same for GDM you could use pam_listfile in /etc/pam.d/gdm if your distro uses PAM (or use GRSecurity RBAC features or SELinux).

PAM IMHO is a slightly "better" way of signalling root logins:
- it's administered centrally (kinda efficient),
- it's covers the whole system (no files in user dir necessary),
- it's versatile (adaptable to any service that can be PAM-ified),
- alerting can happen almost in parallel with authentication (and before the user actually is logged in),
- it's syslogged (and so can be remote syslogged),
- doesn't necessitate wetware reading email,
# and for some additional (admittedly weak) reasons:
- doesn't allow for DoS'sing as much as the email solution (could DoS syslog as well),
- doesn't rely on mailx,
- isn't affected by "/bin/bash --norc",
- isn't affected by removing or chaning root .bash* files.

Of course using PAM isn't tamper-proof either because any file can be removed or changed (though that can be detected OTF as well, monitoring syscall or using Samhain).

Just my 2 cents.

Yes of course logging in as root is a bad idea, and it is always best to be proactive rather than reactive. There are other ways to restrict root login but I thought this my also help if you have already taken all the proactive measures.

If they still manage to get past those measures this will be a second line of defence, an alert to get your attention in real time that a privileged system account has been accessed.

The instant they do have a successful login the ./bashrc file is read and the mail has been sent out so it should be too late for them to do anything to stop the mail, if they even now a mail alert has been sent.

Thanks for the input.

didnt he say ??

>or when a normal user `su` to root

this is what we all do....so i think the tip is good unless if i'm missing something....which is expected since i'm totally n000b

I agree with unSpawn. There are other, more reliable ways to accomplish this (PAM and tripwire stuff indeed come to mind)
The simple --norc trich will make sure that the .bashrc file is simply bypassed when logging in, making the trick mentioned here useless.

On the other hand, you can't be to careful these days. You can't have enough security around.

Yes there are better ways, definitely wouldn't solely rely on it, but if you have many things in place it may make it a little harder for anyone to gain access or atleast gain access unnoticed.

Or

in /etc/profile

if "$UID" = 0 ; then
echo 'ALERT - Root Shell Access (HOSTNAME) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" you@yourdomain.com
fi

Just a last note: most login programs, like SSH, already log a security message in the system's logs when a "root" login occurs.
Maybe filtering/watching those logs can help you too.