email notification on sudo

Hi,

In my organization, we have home folder mounted. My problem is how to
have Maildir and configuration files like fetchmail and fetchnews
having my password in them? Any one can use sudo on any machine to
read these files. So I am looking for the tool which will email me if
anyone use sudo on me.

Thnaks
Jagadeesh

In article
,
Jagadeesh wrote:

> Hi,
>
> In my organization, we have home folder mounted. My problem is how to
> have Maildir and configuration files like fetchmail and fetchnews
> having my password in them? Any one can use sudo on any machine to
> read these files. So I am looking for the tool which will email me if
> anyone use sudo on me.

If anyone can use sudo, then they have the ability to turn off the
notification system.

Why do you let everyone use sudo?

--
Barry Margolin, barmar-at-alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Jagadeesh writes:

> Hi,
>
> In my organization, we have home folder mounted. My problem is how to
> have Maildir and configuration files like fetchmail and fetchnews
> having my password in them?

There's little getting around the insecurity of having a plaintext
password in a configuration file. In the best case, root will be the
other person to have the ability to read it.

> Any one can use sudo on any machine to read these files.

Oy. Sounds like the sudo.conf configuration is not nearly tight
enough. sudo should be locked down to specific commands to run as
root, but even when that occurs, that subset of commands can often be
used to read arbitrary files.

> So I am looking for the tool which will email me if anyone use sudo
> on me.

If with sudo, anyone can run whatever they like as root, you could
use sudo to periodically have a peek at /var/log/auth.log or wherever
syslog is setup to log sudo use. grep it for your username, and
investigate from there.


More importantly, though, you're on a sloppily configured shared
machine. Assuming privacy of nearly anything would be folly, I'm
afraid.

--
Todd H.
http://www.toddh.net/

Thank you for replying me. Let me be clear here.

I have A,B,C,D servers and I can log on to any box because passwd and
home are pushed to all these boxes.

Regularly I am using server A, I have set up syslog and demon to
watch /vat/log/auth.log on A.
But what if anybody sudo on B,C,D servers? so Can I have anything in
my .profile to detect
who is loggin in? if i''m logging with user jagadeesh, it should not
email me, if I OR anyone use
sudo jagadesh, then it should notified to defined email address.

Thanks
Jagadeesh

Jagadeesh writes:

> Thank you for replying me. Let me be clear here.
>
> I have A,B,C,D servers and I can log on to any box because passwd and
> home are pushed to all these boxes.
>
> Regularly I am using server A, I have set up syslog and demon to
> watch /vat/log/auth.log on A.
> But what if anybody sudo on B,C,D servers? so Can I have anything in
> my .profile to detect
> who is loggin in? if i''m logging with user jagadeesh, it should not
> email me, if I OR anyone use
> sudo jagadesh, then it should notified to defined email address.


What if they sudo to root and THEN read your files? Your approach
looking for sudo jagadesh doesn't detect that.

There's nothing in your .profile you can add that'll do much of
anything unless you're somehow logged into B C and D. That said,
however, a crontab entry would be one way around that (i.e. something
thar runs every hour or so looking for referenced to your account in
auth.log). Otherwise, if you don't have the ability to add a cron
entry you could have detached screen sessions running on the other
boxes running your "watcher script" in a while 1 loop and then
sleeping for 60 minutes to run again.
$ screen -S futility /path/to/my/mywatcherscript.sh


But I'm not sure you've fully absorbed the inherent insecurity in the
servers you're using. If any user can use sudo to execute things as
root or as anyone else, you're quite simply screwed. You won't want
ANY passwords you care about on that system, or any data you don't
fully expect any other user to know/have/be able to copy and share.

Better to change the password you have had out there in the
fetchmail.conf file and stop using that server for your day to day
use. Quite likely some enterprising user who is aware of the
insecurity of the system has a keylogger running on it that can
capture passwords being entered in real time, even.

Best Regards,
--
Todd H.
http://www.toddh.net/

On Aug 25, 7:17*pm, comph...@toddh.net (Todd H.) wrote:
> Jagadeesh writes:
> > Thank you for replying me. Let me be clear here.
>
> > I have A,B,C,D servers and I can log on to any box because passwd and
> > home are pushed to all these boxes.
>
> > Regularly I am using server A, I have set up syslog and demon to
> > watch /vat/log/auth.log on *A.
> > But what if anybody sudo on B,C,D servers? so Can I have anything in
> > my .profile to detect
> > who is loggin in? if i''m logging with user jagadeesh, it should not
> > email me, if I OR anyone use
> > sudo jagadesh, then it should notified to defined email address.
>
> What if they sudo to root and THEN read your files? * Your approach
> looking for sudo jagadesh doesn't detect that. *
>
> There's nothing in your .profile you can add that'll do much of
> anything unless you're somehow logged into B C *and D. * That said,
> however, a crontab entry would be one way around that (i.e. something
> thar runs every hour or so looking for referenced to your account in
> auth.log). * *Otherwise, if you don't have the ability to add a cron
> entry you could have detached screen sessions running on the other
> boxes running your "watcher script" * in a while 1 loop and then
> sleeping for 60 minutes to run again. * *
> * * * * *$ screen -S futility /path/to/my/mywatcherscript.sh
>
> But I'm not sure you've fully absorbed the inherent insecurity in the
> servers you're using. *If any user can use sudo to execute things as
> root or as anyone else, you're quite simply screwed. *You won't want
> ANY passwords you care about on that system, or any data you don't
> fully expect any other user to know/have/be able to copy and share.
>
> Better to change the password you have had out there in the
> fetchmail.conf file and stop using that server for your day to day
> use. *Quite likely some enterprising user who is aware of the
> insecurity of the system has a keylogger running on it that can
> capture passwords being entered in real time, even.
>
> Best Regards,
> --
> Todd H.http://www.toddh.net/

Thank you so much for this crystal clear explanation. I will use
separate server for daily use.

Thanks again

Jagadeesh