Topic: Create a NAGIOS Alert if more than one superuser exists on server

[ghorst352]

I am trying to figure out how to write a plugin that contains conditional logic in regards to sending an alert if more than one superuser exists on the server. The only thing I have so far is the following command:

awk -F: '{if ($3 < 1) print $0}' < /etc/passwd

which prints --> root:x:0:0:root:/root:/bin/bash

This is close to what I need however I need this to report if the total count is more than one and I have no clue how to convert this into commands

So another words if I ran the same command and it printed the following then send an alert
awk -F: '{if ($3 < 1) print $0}' < /etc/passwd
root:x:0:0:root:/root:/bin/bash
super:x:0:0:super:/super:/bin/bash
-> send alert to Nagios

I need help with the script command and not the nagios part.  The nagios part I can take care of, it's the script command I cannot figure out.

Any help is appreciated.

Any help is appreciated.

[_alex]

Code: [Select]

[[ $(awk -F: '{if ($3 < 1) print $0}' < /etc/passwd | wc -l) -gt 1 ]] && echo alert

[Stefano]

not an answer but a question: why?

is there any possibility to have 2 or more superusers on the same server?

[ghorst352]

Thanks Alex, this is the final syntax I came up with after utilizing the wc command.

#!/bin/bash

    count=$(awk -F: '{if ($3 < 1) print $0}' < /etc/passwd | wc -l)
    if [ $count -lt 2 ] ; then
        echo "OK"
        exit 0
    elif [ $count=2 ] ; then
        echo "CRITICAL - Multiple Superusers"
        exit 2
    fi

done

Stefano, in regards to your question the purpose of this is purely for security.  My systems only have one superuser so anything thereafter is reason for an alert.


Thanks.

[CharlieBrady]

is there any possibility to have 2 or more superusers on the same server?

Yes, it is possible to have two users with different names, but both with uid of 0. But this will only happen if 1) you do it, or 2) someone cracks the root account on the system. If 2) occurs, you can't rely on any script running to generate an alert. Just warning you...

I think your time is better spent making your system more secure than it is to add this 'shut-the-stable-door-after-the-horse-has-bolted' alert. But that's your decision to make. First thing I would do is disable any PHP programs.

[ghorst352]

bump.