Sometimes it's very important when you are working as a Linux
Administrator / Security analyst to monitor the user sudo activity. As a Linux Administrator, you should have
evidence to prove somebody is screed up something in your environment.
You can monitor all the sudo user's activity, whenever they type a command
using sudo I should get an email.
Update /etc/sudoers files with below configuration:
Use vi /etc/sudoers or visudo
I prefer to user 'visudo' so that it will validate the /etc/sudoers
configuration before you save it.
Append below configuration to /etc/sudoers
#sudo activity notifications
Defaults mail_always
Defaults mailerpath=/usr/sbin/sendmail
Defaults mailto="admin@example.com"
Defaults mailfrom = "root@servername.example.com"
Defaults mailsub="*** Command run via sudo on %h ***"
Defaults mailerflags="-t"
Defaults logfile=/var/log/sudo.log
If you want to monitor only one user or group modify the first line as below:
Defaults:user1(or)groupname mail_always
If you want to monitor all the users and exclude one user or group modify the first line as below:
User_Alias NOMAIL = user1, user2
User_Alias MAILUSERS = ALL, !NOMAIL
Defaults:MAILUSERS mail_always
The last
line in the configuration will log the sudo activity in a separate file
/var/log/sudo.log
It will be handy for a quick search of user sudo activity
No comments:
Post a Comment