salt.beacons.btmp

Beacon to fire events at failed login of users

New in version 2015.5.0.

Example Configuration

# Fire events on all failed logins
beacons:
  btmp: []

# Matching on user name, using a default time range
beacons:
  btmp:
    - users:
        gareth:
    - defaults:
        time_range:
            start: '8am'
            end: '4pm'

# Matching on user name, overriding the default time range
beacons:
  btmp:
    - users:
        gareth:
            time_range:
                start: '8am'
                end: '4pm'
    - defaults:
        time_range:
            start: '8am'
            end: '4pm'

# Matching on group name, overriding the default time range
beacons:
  btmp:
    - groups:
        users:
            time_range:
                start: '8am'
                end: '4pm'
    - defaults:
        time_range:
            start: '8am'
            end: '4pm'

Use Case: Posting Failed Login Events to Slack

This can be done using the following reactor SLS:

report-wtmp:
  runner.salt.cmd:
    - args:
      - fun: slack.post_message
      - channel: mychannel      # Slack channel
      - from_name: someuser     # Slack user
      - message: "Failed login from `{{ data.get('user', '') or 'unknown user' }}` on `{{ data['id'] }}`"

Match the event like so in the master config file:

reactor:

  - 'salt/beacon/*/btmp/':
    - salt://reactor/btmp.sls

Note

This approach uses the slack execution module directly on the master, and therefore requires that the master has a slack API key in its configuration:

slack:
  api_key: xoxb-XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXXXX

See the slack execution module documentation for more information. While you can use an individual user's API key to post to Slack, a bot user is likely better suited for this. The slack engine documentation has information on how to set up a bot user.

salt.beacons.btmp.beacon(config)

Read the last btmp file and return information on the failed logins

salt.beacons.btmp.validate(config)

Validate the beacon configuration

Docs for previous releases are available on readthedocs.org.

Latest Salt release: 3004

Table of Contents

Previous topic

salt.beacons.bonjour_announce

Next topic

salt.beacons.cert_info