Linuxにログインしたことを通知する機能を CentOS7 と pam_exec.so で実装する方法を説明します。
ログインを管理者や本人に通知することで、内部監査やセキュリティ対策に役立てることができます。
【pam_exec.so を利用する理由】
他のサイトを参照にすると、下記を利用することで実装できることがわかります。
- /etc/ssh/sshrc
- ~/.ssh/rc など
ただし、SSHログインのみが対象でコンソールログインなどでは通知されません。
コンソールログインでもメールで通知したいため pam_exec.so を利用することにしました。
参考サイト:http://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html
1. メール送信スクリプトの作成( /usr/local/bin/notify-login.sh )
# vi /usr/local/bin/notify-login.sh
#!/bin/bash
# 環境変数
export LC_CTYPE=ja_JP.UTF-8
# 通知除外サービス(パイプ区切り)
EXC_SERVICE="crond|gdm-launch-environment"
# メール送信アドレス
TOMAIL=xxxxxx@xxxxxx
# メール送信元アドレス
FROMMAIL=xxxxxx@xxxxxx
# ログインメール通知
if [ `echo $PAM_SERVICE | egrep -i "$EXC_SERVICE" | wc -l` -eq 0 ];then
if [ "$PAM_TYPE" = "open_session" ] ;then
{
echo "【ユーザがログインしました】"
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Date: `date`"
echo "Server: `hostname`"
} | mail -s "【ログイン情報】サーバ:`hostname -s` ユーザ: $PAM_USER" -r $FROMMAIL $TOMAIL
fi
fi
作成したら実行権限を付与します。
# chmod +x /usr/local/bin/notify-login.sh
2. PAMの修正
CentOS7では2つのファイルを修正します。
# vi /etc/pam.d/password-auth
session optional pam_exec.so /usr/local/bin/notify-login.sh # sessionの最終行に追加します。
# vi /etc/pam.d/system-auth
session optional pam_exec.so /usr/local/bin/notify-login.sh # sessionの最終行に追加します。
2つのファイルを修正する理由は、password-auth にsshd や ftpd が含まれ、system-auth に chfn/chsh/su が含まれているからです。
なお、crond や gdm-launch-environment も含まれているため、メール送信スクリプトでは通知除外サービスに指定しています。
通知されるものはこちらです。
# grep -w system-auth /etc/pam.d/* | grep include
/etc/pam.d/chfn:auth include system-auth
/etc/pam.d/chfn:account include system-auth
/etc/pam.d/chfn:password include system-auth
/etc/pam.d/chfn:session include system-auth
/etc/pam.d/chsh:auth include system-auth
/etc/pam.d/chsh:account include system-auth
/etc/pam.d/chsh:password include system-auth
/etc/pam.d/chsh:session include system-auth
/etc/pam.d/config-util:auth include system-auth
/etc/pam.d/gdm-autologin:account include system-auth
/etc/pam.d/gdm-autologin:password include system-auth
/etc/pam.d/gdm-autologin:session include system-auth
/etc/pam.d/gdm-launch-environment:account include system-auth
/etc/pam.d/gdm-launch-environment:password include system-auth
/etc/pam.d/gdm-launch-environment:session include system-auth
/etc/pam.d/login:account include system-auth
/etc/pam.d/login:password include system-auth
/etc/pam.d/login:session include system-auth
/etc/pam.d/passwd:auth include system-auth
/etc/pam.d/passwd:account include system-auth
/etc/pam.d/pluto:auth include system-auth
/etc/pam.d/pluto:# auth include system-auth use_first_pass
/etc/pam.d/pluto:account include system-auth
/etc/pam.d/pluto:password include system-auth
/etc/pam.d/pluto:session include system-auth
/etc/pam.d/polkit-1:auth include system-auth
/etc/pam.d/polkit-1:account include system-auth
/etc/pam.d/polkit-1:password include system-auth
/etc/pam.d/polkit-1:session include system-auth
/etc/pam.d/setup:auth include system-auth
/etc/pam.d/su:account include system-auth
/etc/pam.d/su:password include system-auth
/etc/pam.d/su:session include system-auth
/etc/pam.d/sudo:auth include system-auth
/etc/pam.d/sudo:account include system-auth
/etc/pam.d/sudo:password include system-auth
/etc/pam.d/systemd-user:account include system-auth
/etc/pam.d/systemd-user:session include system-auth
/etc/pam.d/vlock:auth include system-auth
# grep -w password-auth /etc/pam.d/* | grep include
/etc/pam.d/atd:auth include password-auth
/etc/pam.d/atd:account include password-auth
/etc/pam.d/atd:session include password-auth
/etc/pam.d/crond:account include password-auth
/etc/pam.d/crond:session include password-auth
/etc/pam.d/crond:auth include password-auth
/etc/pam.d/cups:auth include password-auth
/etc/pam.d/cups:account include password-auth
/etc/pam.d/gdm-password:account include password-auth
/etc/pam.d/gdm-password:session include password-auth
/etc/pam.d/gdm-pin:account include password-auth
/etc/pam.d/gdm-pin:password include password-auth
/etc/pam.d/gdm-pin:session include password-auth
/etc/pam.d/ppp:auth include password-auth
/etc/pam.d/ppp:account include password-auth
/etc/pam.d/ppp:session include password-auth
/etc/pam.d/remote:account include password-auth
/etc/pam.d/remote:password include password-auth
/etc/pam.d/remote:session include password-auth
/etc/pam.d/smtp:auth include password-auth
/etc/pam.d/smtp:account include password-auth
/etc/pam.d/smtp.postfix:auth include password-auth
/etc/pam.d/smtp.postfix:account include password-auth
/etc/pam.d/sshd:account include password-auth
/etc/pam.d/sshd:password include password-auth
/etc/pam.d/sshd:session include password-auth
/etc/pam.d/xrdp-sesman:auth include password-auth
/etc/pam.d/xrdp-sesman:account include password-auth
/etc/pam.d/xrdp-sesman:password include password-auth
/etc/pam.d/xrdp-sesman:session include password-auth
設定は以上です。
お疲れさまでした。