UNIX / Linux: Send E-mail When sudo Runs

by on July 1, 2009 · 11 comments· LAST UPDATED July 1, 2009

in , ,

I'm not told to use the root user to perform activities that do not require it. I've configured sudo for myself and for other web developers so that they can restart MySQL or Apache web server. How do I send email when sudo run by one of my user? How do I keep track of user login done via sudo command?

sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.

Configure sudo To Send E-mail

Sudo can be configured to to send e-mail when the sudo command is used. Open /etc/sudoers file, enter:
# vi /etc/sudoers
Configure alter email id:

 
   mailto "admin@staff.example.com"
   mail_always on
 

Where,

  • mailto "admin@staff.example.com" : Your email id.
  • mail_always : Send mail to the mailto user every time a users runs sudo. This flag is off by default.

Additional options:

OptionDescription
mail_badpassSend mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
mail_no_hostIf set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag is off by default.
mail_no_permsIf set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.
mail_no_userIf set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.

Sudo Logfile

By default, sudo logs vis syslog. You can see sudo log in /var/log/auth.log (Debian / Ubuntu) or /var/log/secure (Redhat and friends). However, you can set path to the sudo log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. Type the following command to edit the file:
# sudoedit /etc/sudoers
Set path to log file:

 
   Defaults        !lecture,tty_tickets,!fqdn,!syslog
   Defaults        logfile=/var/log/sudo.log
 

Save and close the file. To see logs type:
# tail -f /var/log/sudo.log
# egrep -i 'foo' /var/log/sudo.log
# egrep -i 'user1|user2|cmd2' /var/log/sudo.log

Sample Outputs:

Jul  1 12:30:13 : vivek : TTY=pts/3 ; PWD=/home/vivek ; USER=root ; COMMAND=/bin/bash
Jul  1 12:34:02 : vivek : TTY=pts/0 ; PWD=/home/vivek ; USER=root ;
    COMMAND=sudoedit /etc/sudoers
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 11 comments… read them below or add one }

1 Liju July 1, 2009 at 10:43 am

Thanks,

Good tips for staging-prod servers.. to catch all the activities….

Reply

2 Lava Kafle July 1, 2009 at 11:30 am

thanks great tip for us

Reply

3 Jennifer DiNardo July 1, 2009 at 11:57 am

Thanks! This is one more step in creating a secure server environment and it keeps me from having to check the log files often.

Reply

4 Rolf July 3, 2009 at 7:52 pm

I had to write it like this:
Defaults mailto="sudoers@domain.com",mail_always

Reply

5 nixCraft July 7, 2009 at 9:51 am

@Rolf,

Can you tell us about your sudo version?

Reply

6 Babin Lonston May 26, 2014 at 8:09 am

Im Using Centos Version

[sysadmin@li406-64 ~]$ cat /etc/redhat-release
CentOS release 6.4 (Final)

I’m Using Sudo Version

[sysadmin@backup-srv ~]$ sudo -V
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3

tried to setup notification mail for sudo, added this entry in bottom of sudo file using command visudo, But getting syntax error

Defaults mailto “babin@xxxxxxxxx.com”
Defaults mailfrom “root@media.xxxxxxxxxxx.com
Defaults mail_always on
Defaults mailsub “*** Command run via sudo on %h ***”
Defaults mail_badpass on
Defaults badpass_message “Please Provide Correct Password”
Defaults !lecture,tty_tickets,!fqdn,!syslog
Defaults logfile=/var/log/sudo.log

This what the error im keep on getting while saving the sudo

121 Defaults mailto “babin@xxxxxxxxx.com”
122 Defaults mailfrom “root@media.xxxxxxxxxxx.com
123 Defaults mail_always on
124 Defaults mailsub “*** Command run via sudo on %h ***”
125 Defaults mail_badpass on
126 Defaults badpass_message “Please Provide Correct Password”
127 Defaults !lecture,tty_tickets,!fqdn,!syslog
128 Defaults logfile=/var/log/sudo.log

Error:

visudo: >>> /etc/sudoers: syntax error near line 121 <<>> /etc/sudoers: syntax error near line 121 <<<
What now?

Please guide me how to setup the mail notification for Sudo version 1.8.6p3

Reply

7 M.S. Babaei August 1, 2009 at 3:34 am

Great!! Good job!!

Reply

8 Gokul December 22, 2009 at 1:08 pm

I want to configure SUDO password when I use sudo command in terminal than It should be ask for password every time.
When I use putty and cert key than it is not asked for password.

Reply

9 ambrozy May 1, 2010 at 6:41 pm

Vivek: I have the same problem as Rolf. My sudo version is 1.6.9p17

And this is what happens:
I am editing /etc/sudoers with visudo. The result of adding 3 lines which you can find below:

Defaults env_reset
mailto “admin@staff.example.com”
mail_always on

is that I’m getting error message:

ambrozy@zeus:~$ sudo visudo
>>> sudoers file: syntax error, line 8 <<>> sudoers file: syntax error, line 10 <<<

with "Defaults" at the beggining it's working fine:

Defaults !lecture,tty_tickets,!fqdn,!syslog
Defaults logfile=/var/log/sudo.log
Defaults mailto="noc@wired.pl",mail_always
Defaults mail_badpass, mailsub="** BAD AUTHENICATION: %U %h **"
Defaults mail_no_user, mailsub="** USER NOT IN SUDOERS: %U %h **"
Defaults mail_no_perms, mailsub="** SUDO PERMISSION ABUSE: %U %h **"

Reply

10 Sandeep December 31, 2010 at 4:41 am

Be careful while editing sudoers file u wont be able to get access as root again in that case enter single user mode (recovery mode ) and delete line we had added in sudoers file and reboot…i too got error while editing sudoers file

Reply

11 Billy Crook October 9, 2011 at 6:21 pm

@Sandeep

That’s because you’re not supposed to edit /etc/sudoers. You’re a human. That file is not for humans. Do not attempt to edit that file. Instead, run the command visudo.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: