Last Updated: August 01, 2023
· chrisbumgardner

Get an email whenever 'sudo' is run on production

My production node.js app runs on Ubuntu server. I came across a great post a while back which included a tip on how to send an email every time a user runs a sudo command on the server. It's a very handy way to get notifications of something that could be malicious.

Create a file /etc/sudoers.d/my_sudoers that contains:

Defaults    mail_always
Defaults    mailto=""

Then chmod the new file to 0440, and finally setup a mail transport agent like Sendmail via:

sudo apt-get install sendmail

And now you get an email every time sudo is run on that machine with a subject line like:

*** SECURITY information for ***

And the body contains info on what user ran sudo, what command they executed, and the pwd. Very reassuring.

Thanks to @feross who wrote the original post! It's a great read for many other tips as well.