Mail me when someone runs command using sudo – Linux Security

There is situation that i wanted to monitor all the sudo users activity, Whenever they type an command using sudo i should get an email. This is very important when your working as a Linux Security Administrator / Security analyst.  As a Linux Administrator you should have an evidence to prove somebody is screed up something in your environment. Mail me when someone runs command using sudo Linux Security Feature.

Restrict your Administrator’s to use sudo for all the important commands by writing an restriction in /etc/sudoers file then change the permission of the /etc/sudoers to 600 using root. No user will able to see the

:: Prerequisites ::

  1. Restrict users by adding restrictions to /etc/sudoers
  2. Create an distribution list and add that to configuration – because every time we are not going to modify config file

Mail me when someone runs command using sudo – Linux Security

Most of the time what we will do is we will provide an full rights to the administrator based an there designation and level of exportation, but we don’t know what he / she is doing an the production environment. In order to monitor the typed commands with sudo, We have to add below lines to the configuration file.

Add the entry to the /etc/sudoers as mentioned below, It will send you an alert whenever user type the command using sudo. Providing the the path of the log file it will save an every executed command as shown in below:

~]# vi /etc/sudoers
###### Get every alert when user fired an command with sudo ####
Defaults        syslog=auth, insults, syslog_goodpri=alert
Defaults        logfile=/var/log/sudo.log
Defaults        timestamp_timeout=0, log_year, tty_tickets
Defaults        mailto="aravikumar48@gmail.com", mail_always, mail_badpass, mail_no_user

Some times we need an exceptional cases that we don’t want to get alert when particular user types and commands with sudo before the command.

  • mail_always Send mail to the mailto user every time a users runs sudo. This flag is off by default.
  • mail_badpass Send mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
  • mail_no_host If set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag is off by default.
  • mail_no_perms If set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.
  • mail_no_user If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.
  • noexec If set, all commands run via sudo will behave as if the NOEXEC tag has been set, unless overridden by a EXEC tag. See the description of NOEXEC and EXEC below as well as the “PREVENTING SHELL ESCAPES” section at the end of this manual. This flag is off by default.

we have to modify the configuration as shown in below.

~]#vi /etc/sudoers
User_Alias NoMail = goodboy, goodgirl
User_Alias MailUsers = ALL, !NoMail
Defaults           mailto="aravikumar48@gmail.com"
Defaults:MailUsers mail_always
Defaults:NoMail    !mail_badpass

Where User_Alias NoMail it will not send a mail for that specified users.

That’s it About Mail Me When someone Runs Command using sudo.

Your feedback is valuable to us….

Related Articles

Upgrade Kernel Version to Stable Latest

Shrink LVM volume

Youtube Link

Thanks for your wonderful Support and Encouragement

Ankam Ravi Kumar

Working as Linux / Storage Administrator L3. Interested in sharing the knowledge.

You may also like...

4 Responses

  1. Prashant says:

    Thanks Ravi !!!

  2. prashant4289 says:

    Is this article steps work on all Linux Distros? I have debian Os.

    Thanks This is really Helpful

  3. sathya says:

    please try to change the permission of the /etc/sudoers file back to 0440, else you may not be able to do suod.

Leave a Reply