Beacon to fire events at failed login of users
New in version 2015.5.0.
# Fire events on all failed logins
beacons:
btmp: []
# Matching on user name, using a default time range
beacons:
btmp:
- users:
gareth:
- defaults:
time_range:
start: '8am'
end: '4pm'
# Matching on user name, overriding the default time range
beacons:
btmp:
- users:
gareth:
time_range:
start: '8am'
end: '4pm'
- defaults:
time_range:
start: '8am'
end: '4pm'
# Matching on group name, overriding the default time range
beacons:
btmp:
- groups:
users:
time_range:
start: '8am'
end: '4pm'
- defaults:
time_range:
start: '8am'
end: '4pm' This can be done using the following reactor SLS:
report-wtmp:
runner.salt.cmd:
- args:
- fun: slack.post_message
- channel: mychannel # Slack channel
- from_name: someuser # Slack user
- message: "Failed login from `{{ data.get('user', '') or 'unknown user' }}` on `{{ data['id'] }}`" Match the event like so in the master config file:
reactor:
- 'salt/beacon/*/btmp/':
- salt://reactor/btmp.sls Note
This approach uses the slack execution module directly on the master, and therefore requires that the master has a slack API key in its configuration:
slack: api_key: xoxb-XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXXXX
See the slack execution module documentation for more information. While you can use an individual user's API key to post to Slack, a bot user is likely better suited for this. The slack engine documentation has information on how to set up a bot user.
Read the last btmp file and return information on the failed logins
Validate the beacon configuration
© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/beacons/all/salt.beacons.btmp.html