System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

sudo unsuccessful login alerts through mail

 
bhargavi
Advisor

sudo unsuccessful login alerts through mail

Hi, I wanted a mail to be sent to me if the user not listed in the sudoers file tried to login via sudo.
I have tried giving
Defaults logfile = /var/adm/sudo.log
Defaults:ALL mailto= "xyz@abc.com"
but the mail part does not work, the mail_always works fine.
Help me in resolving this. Fine if a proper syntax is provided as well.
7 REPLIES
kobylka
Valued Contributor

Re: sudo unsuccessful login alerts through mail

Hello bhargavi!

> I wanted a mail to be sent to me if the user not listed in the sudoers file tried to login via sudo

The option you are looking for is

mail_no_user

but it is turned on by default so I think the problem you are having is that you get both types of messages, the ones from mail_always (send message every time a user executes sudo) and the ones from mail_no_user (the user is not in sudoers file). Try to turn mail_always off

Defaults mail_always=off

(or simply omit this option since it is off by default)

> but the mail part does not work

Is the real problem that mail is not sent whether with or without any options?


Kind regards,

Kobylka
bhargavi
Advisor

Re: sudo unsuccessful login alerts through mail

Mail is not sent at all.
Michael Steele_2
Honored Contributor

Re: sudo unsuccessful login alerts through mail

Hi

The lastb command tracks unsuccessful logins. You can tail this report every hour or 12 hours, but I don't know how to do it in real time.
Support Fatherhood - Stop Family Law
kobylka
Valued Contributor

Re: sudo unsuccessful login alerts through mail

Hello bhargavi!


> Mail is not sent at all.


This is a common problem with sudo and mail_no_user, mail_no_host. The corresponding message is only sent if the user (which is NOT in the /etc/sudoers file) has authenticated SUCCESSFULLY.

The behaviour one expects would be a mail sent as soon as this user executes "sudo" but this is not the case. If you really need this behaviour you could just change the source code, though.

Kind regards,

Kobylka
bhargavi
Advisor

Re: sudo unsuccessful login alerts through mail

Changing the source code? Can you please explain this.
Horia Chirculescu
Honored Contributor

Re: sudo unsuccessful login alerts through mail

You could run some small script that will look for changes into the file:

/var/adm/sudo.log

When any change into the file would occur, the script should sent an email including the last 10-20 lines from this file.

This way the script would be easy to make, but you will get the results from all logged activity generated by sudo. You have to parse this file (in the script of course) in order to ignore sucessfully logins.

If your setup (using "Defaults logfile = /var/adm/sudo.log") does not provide you the sudo.log file, you could use the syslog daemon like this:

Add the following to /etc/syslog.conf:

local2.debug /var/adm/sudo.log

(
Do not forget that in syslog.conf you must use TABs!
)

------------------
also, in the same file you should add

;local2.none

afther "mail.none" as in the example:

*.info;mail.none /var/adm/syslog.log

would become:

*.info;mail.none;local2.none /var/adm/syslog.log

This if for avoiding double loggings.
--------------------

Create the log file:

touch /var/adm/sudo.log

Then restart the syslogd daemon (sending a HUP would do the job)


Best regards from Romania
Horia Chirculescu
Best regards from Romania,
Horia.
kobylka
Valued Contributor

Re: sudo unsuccessful login alerts through mail

Hello bhargavi!


> Changing the source code?

Actually I meant MoDiFyInG the source to suit your needs.

I have attached a diff file, sudomod.sh, for version sudo-1.7.2p1 that does exactly what you want, send a mail every time a non sudoer invokes the sudo command. You will be notified only ONCE. Control this behaviour through mail_no_user option in /etc/sudoers.

If you never coped around with diffs:

1. Unzip and untar sudo source for 1.7.2p1
2. Copy sudomod.sh into sudo-1.7.2p1 dir and run it like "sh sudomod.sh".
3. make and make install


> The lastb command tracks unsuccessful logins.

The lastb only prints the contents of /var/adm/btmp which is only written to by "btmp aware" programs such as login, but not sudo.


Kind regards,

Kobylka