root out who

A hair in the door jam that will fall when root gets compromised:

* * * * * ./cron_who.sh

file: cron_who.sh

#! /bin/bash
exec > /dev/null 2>&1
date >> who.log
who >> who.log
if grep root who.log
then
date >> root.log
fi

Instead of updating root.log you could have an email sent and nullify root cleaning up the logs if the hair is noticed.

Written by logicscience1

Husband, father, brother, spiritual philosopher, techno leader, drum n bass DJ, long distance runner and sometimes human.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.