be2rpq
Last Updated: February 25, 2016
·
1.718K
· chrisbumgardner

Get an email whenever 'sudo' is run on production

My production node.js app runs on Ubuntu server. I came across a great post a while back which included a tip on how to send an email every time a user runs a sudo command on the server. It's a very handy way to get notifications of something that could be malicious.

Create a file /etc/sudoers.d/my_sudoers that contains:

Defaults    mail_always
Defaults    mailto="youremail@gmail.com"

Then chmod the new file to 0440, and finally setup a mail transport agent like Sendmail via:

sudo apt-get install sendmail

And now you get an email every time sudo is run on that machine with a subject line like:

*** SECURITY information for lixxx-xx.members.linode.com ***

And the body contains info on what user ran sudo, what command they executed, and the pwd. Very reassuring.

Thanks to @feross who wrote the original post! It's a great read for many other tips as well.