Thursday, April 10, 2008

setup sudosh and swatch on Linux server

  • purpose:
assuming root password is locked in safebox, normal user like 'jephe' can only use 'sudo sudosh' to become root, after that, everything will be recorded and can be replayed later.

  • install sudosh
download it from DAG website(search google for 'DAG sudosh') for using 'yum install sudosh' from CentOS 5 or run 'yum install sudosh' from RHEL 5 after registering with RHN using command 'rhnreg_ks --proxy=http://x.y.z.k:port --username=user1 --password=pass1
  • put the folllowing to /etc/sudoers
jephe ALL=/usr/bin/sudosh
  • initialize sudo folder by running 'sudosh -i', the permission should be like this:
[root@jephe ~]# ls -ld /var/log/sudosh
drwx-wx-wx 2 root root 4096 Apr 10 15:37 /var/log/sudosh

  • install swatch to realtime scan /var/log/secure to monitor 'su, sudo and console root login'
1. installing swatch rpm using the same method as sudosh
2. put the following to /etc/swatch.conf
[root@jephe ~]# more /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- server sudo alert! ---

watchfor /su:.*/
mail root,subject=--- server su alert! ---

watchfor /login: ROOT LOGIN.*/
mail root,subject=--- server console login alert! ---
3. set root alias in /etc/alias, then run 'newaliases', for those environment that doesn't have DNS server, using /etc/mail/service.switch
[root@jephe ~]# cd /etc/mail
[root@jephe mail]# more service.switch
hosts files
4. put the following to /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
5. put the following to /etc/logrotate.d/syslog
[root@jephe logrotate.d]# more syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
/bin/kill -HUP `cat /var/run/ 2> /dev/null` 2> /dev/null || true

##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
6. put the following to /usr/local/sbin/restartsw (for restarting swatch)
[root@db7 logrotate.d]# more /usr/local/sbin/restartsw
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 2
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon

  • configuring to masquerade in non-dns environment
[root@db7 mail]# diff
> define(`SMART_HOST',`mailrelay')dnl
<> dnl EXPOSED_USER(`root')dnl
<> FEATURE(masquerade_envelope)dnl
<> FEATURE(masquerade_entire_domain)dnl
<> MASQUERADE_DOMAIN(localhost)dnl
> MASQUERADE_DOMAIN(localhost.localdomain)dnl

note: assuming server hostname is, so swatch will send out email using normally, which is not-exist domain, but is valid, so we masquerade it to


Gadelkareem said...

Thank you!
Here is a full installation guide with examples for watching system log files... Watch log files on Linux server with Swatch 3.2.3

threeta said...

many thanks - I was checking the permissions on /var/adm/sudosh, and they're set to rwx-wx-wx. BUT the user can delete their files:

akl2ap846#> ls -l /var/adm/sudosh
-rw------- 1 lewir1 sapext 133 Jun 18 14:44 lewir1-lewir1-input-1371522599-IPPPPvvvvvRRRRRx
-rw------- 1 lewir1 sapext 2290 Jun 18 14:44 lewir1-lewir1-script-1371522599-IPPPPvvvvvRRRRRx
-rw------- 1 lewir1 sapext 1995 Jun 18 14:44 lewir1-lewir1-time-1371522599-IPPPPvvvvvRRRRRx

is this bad?