- purpose:
- install sudosh
- put the folllowing to /etc/sudoers
- initialize sudo folder by running 'sudosh -i', the permission should be like this:
drwx-wx-wx 2 root root 4096 Apr 10 15:37 /var/log/sudosh
- install swatch to realtime scan /var/log/secure to monitor 'su, sudo and console root login'
2. put the following to /etc/swatch.conf
[root@jephe ~]# more /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- server sudo alert! ---
watchfor /su:.*/
mail root,subject=--- server su alert! ---
watchfor /login: ROOT LOGIN.*/
mail root,subject=--- server console login alert! ---
3. set root alias in /etc/alias, then run 'newaliases', for those environment that doesn't have DNS server, using /etc/mail/service.switch
[root@jephe ~]# cd /etc/mail
[root@jephe mail]# more service.switch
hosts files
4. put the following to /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
5. put the following to /etc/logrotate.d/syslog
[root@jephe logrotate.d]# more syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
###end#####
endscript
}
6. put the following to /usr/local/sbin/restartsw (for restarting swatch)
[root@db7 logrotate.d]# more /usr/local/sbin/restartsw
#!/bin/sh
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 2
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
- configuring sendmail.mc to masquerade in non-dns environment
39a40
> define(`SMART_HOST',`mailrelay')dnl
103c104
<> dnl EXPOSED_USER(`root')dnl
160c161
<> MASQUERADE_AS(`newdomain.com')dnl
164c165
<> FEATURE(masquerade_envelope)dnl
168c169
<> FEATURE(masquerade_entire_domain)dnl
170,172c171,173
<> MASQUERADE_DOMAIN(localhost)dnl
> MASQUERADE_DOMAIN(localhost.localdomain)dnl
> MASQUERADE_DOMAIN(domain.com)dnl
note: assuming server hostname is jephe.domain.com, so swatch will send out email using root@jephe.domain.com normally, which is not-exist domain, but newdomain.com is valid, so we masquerade it to root@newdomain.com.