My production node.js app runs on Ubuntu server. I came across a great post a while back which included a tip on how to send an email every time a user runs a sudo command on the server. It's a very handy way to get notifications of something that could be malicious.
Create a file /etc/sudoers.d/my_sudoers that contains:
Defaults mail_always Defaults mailto="email@example.com"
Then chmod the new file to 0440, and finally setup a mail transport agent like Sendmail via:
sudo apt-get install sendmail
And now you get an email every time sudo is run on that machine with a subject line like:
*** SECURITY information for lixxx-xx.members.linode.com ***
And the body contains info on what user ran sudo, what command they executed, and the pwd. Very reassuring.
Thanks to @feross who wrote the original post! It's a great read for many other tips as well.