- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- sudo unsuccessful login alerts through mail
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2009 06:00 AM
тАО09-28-2009 06:00 AM
sudo unsuccessful login alerts through mail
I have tried giving
Defaults logfile = /var/adm/sudo.log
Defaults:ALL mailto= "xyz@abc.com"
but the mail part does not work, the mail_always works fine.
Help me in resolving this. Fine if a proper syntax is provided as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2009 06:40 AM
тАО09-28-2009 06:40 AM
Re: sudo unsuccessful login alerts through mail
> I wanted a mail to be sent to me if the user not listed in the sudoers file tried to login via sudo
The option you are looking for is
mail_no_user
but it is turned on by default so I think the problem you are having is that you get both types of messages, the ones from mail_always (send message every time a user executes sudo) and the ones from mail_no_user (the user is not in sudoers file). Try to turn mail_always off
Defaults mail_always=off
(or simply omit this option since it is off by default)
> but the mail part does not work
Is the real problem that mail is not sent whether with or without any options?
Kind regards,
Kobylka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2009 06:51 AM
тАО09-28-2009 06:51 AM
Re: sudo unsuccessful login alerts through mail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2009 08:59 AM
тАО09-28-2009 08:59 AM
Re: sudo unsuccessful login alerts through mail
The lastb command tracks unsuccessful logins. You can tail this report every hour or 12 hours, but I don't know how to do it in real time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2009 10:06 AM
тАО09-28-2009 10:06 AM
Re: sudo unsuccessful login alerts through mail
> Mail is not sent at all.
This is a common problem with sudo and mail_no_user, mail_no_host. The corresponding message is only sent if the user (which is NOT in the /etc/sudoers file) has authenticated SUCCESSFULLY.
The behaviour one expects would be a mail sent as soon as this user executes "sudo" but this is not the case. If you really need this behaviour you could just change the source code, though.
Kind regards,
Kobylka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2009 10:33 AM
тАО09-28-2009 10:33 AM
Re: sudo unsuccessful login alerts through mail
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2009 10:10 PM
тАО09-28-2009 10:10 PM
Re: sudo unsuccessful login alerts through mail
/var/adm/sudo.log
When any change into the file would occur, the script should sent an email including the last 10-20 lines from this file.
This way the script would be easy to make, but you will get the results from all logged activity generated by sudo. You have to parse this file (in the script of course) in order to ignore sucessfully logins.
If your setup (using "Defaults logfile = /var/adm/sudo.log") does not provide you the sudo.log file, you could use the syslog daemon like this:
Add the following to /etc/syslog.conf:
local2.debug
(
Do not forget that in syslog.conf you must use TABs!
)
------------------
also, in the same file you should add
;local2.none
afther "mail.none" as in the example:
*.info;mail.none /var/adm/syslog.log
would become:
*.info;mail.none;local2.none /var/adm/syslog.log
This if for avoiding double loggings.
--------------------
Create the log file:
touch /var/adm/sudo.log
Then restart the syslogd daemon (sending a HUP would do the job)
Best regards from Romania
Horia Chirculescu
Horia.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-29-2009 01:49 AM
тАО09-29-2009 01:49 AM
Re: sudo unsuccessful login alerts through mail
> Changing the source code?
Actually I meant MoDiFyInG the source to suit your needs.
I have attached a diff file, sudomod.sh, for version sudo-1.7.2p1 that does exactly what you want, send a mail every time a non sudoer invokes the sudo command. You will be notified only ONCE. Control this behaviour through mail_no_user option in /etc/sudoers.
If you never coped around with diffs:
1. Unzip and untar sudo source for 1.7.2p1
2. Copy sudomod.sh into sudo-1.7.2p1 dir and run it like "sh sudomod.sh".
3. make and make install
> The lastb command tracks unsuccessful logins.
The lastb only prints the contents of /var/adm/btmp which is only written to by "btmp aware" programs such as login, but not sudo.
Kind regards,
Kobylka