Monitoring Root Accounts

by Russ Rogers - 11/27/00

The ultimate triumph for any intruder is gaining root access. Once access is gained, backdoors are typically created in order to allow continued access to the system. One of the simplest backdoors is creating a new root account with a different name.

Although it sounds like an easy enough thing for a System Administrator to catch, it often goes unnoticed. SA's don't always have the time or the desire to check the password file on a consistent basis. This is where scripting comes in handy. A good script can be set up on a cron job to check for multiple root accounts on a regular basis.

Using simple shell commands, an SA can write a quick and dirty script similar to the sample below. Notice that it checks for multiple accounts with a UID of 0. If an account is found that has UID 0 and is not actually "root", an email is sent to the specified account.

#!/bin/sh
#
# Monitor Root script


for uid in `awk `FS=":" {if(($3 == 0 && $1 != "root" )) \
print $1}' /etc/passwd`
do
	mail -s "Possible Root Compromise" root@myemail.com  << EOF

**************************************************************
Possible ROOT access account breech has occurred!  The account
name `echo ${uid}` has UID 0


`date "+Detected: %D Time: %r"`
**************************************************************


EOF
done

By running this script through a cron job, you can better watch for illegal root accounts. A sample cron entry looks like this:

15 * * * * /usr/local/scripts/monroot.sh 2>&1 /dev/null