For some critical machines when it is not usual that users login through SSH or execute SU to become superuser, we can use PAM module configuration to receive some kind of alert whenever a user logs into that machine or escalates privileges to root.

Two options here:

• /etc/pam.d/su: To receive alerts every time a user becomes root

• /etc/pam.d/sshd: To receive alerts every time a user logs in successfully in this machine

Whatever option you choose, you will have to add the following line at the end of that file.

session optional pam_exec.so /usr/local/bin/mail-login.php

The script mail-login.php looks pretty simple:

#!/usr/bin/php

<?php

mail("YOUR@EMAIL.COM", "login successful", "User: ".system("id")."\n\nIP: ".system("w -h | awk '{print $3}'")."\n\n".system("last"));

exit(0);