Mail me when someone runs command using sudo – Linux Security
There is situation that i wanted to monitor all the sudo users activity, When ever they type an command using sudo i should get an email. This is very important when your working as a Linux Security Administrator / Security analyst. As a Linux Administrator you should have an evidence to prove somebody is screed up something in your environment.
Restrict your Administrator’s to use sudo for all the important commands by writing an restriction in /etc/sudoers file then change the permission of the /etc/sudoers to 600 using root. No user will able to see the
:: Prerequisites ::
- Restrict users by adding restrictions to /etc/sudoers
- Create an distribution list and add that to configuration – because every time we are not going to modify config file
Most of the time what we will do is we will provide an full rights to the administrator based an there designation and level of exportation, but we don’t know what he / she is doing an the production environment. In order to monitor the typed commands with sudo, We have to add below lines to the configuration file.
Add the entry to the /etc/sudoers as mentioned below, It will send you an alert whenever user type the command using sudo. Providing the the path of the log file it will save an every executed command as shown in below:
~]# vi /etc/sudoers ###### Get every alert when user fired an command with sudo #### Defaults syslog=auth, insults, syslog_goodpri=alert Defaults logfile=/var/log/sudo.log Defaults timestamp_timeout=0, log_year, tty_tickets Defaults mailto="email@example.com", mail_always, mail_badpass, mail_no_user
Some times we need an exceptional cases that we don’t want to get alert when particular user types and commands with sudo before the command.
we have to modify the configuration as shown in below.
~]#vi /etc/sudoers User_Alias NoMail = goodboy, goodgirl User_Alias MailUsers = ALL, !NoMail Defaults mailto="firstname.lastname@example.org" Defaults:MailUsers mail_always Defaults:NoMail !mail_badpass
Where User_Alias NoMail it will not send a mail for that specified users.
Your feedback is valuable to us….