Procedure to configure email

Notification for root login

& Authentication for root
Access

1 Revision History
Date
14.06.2016

Version
1.0

Description
Document to configure email notification for root login and authentication for sudo access to root

Status

Author / Editor
Velroy Noronha

Final

2 Information about Author / Editor

This document was written and/or edited by:
Short name

Author / Editor Details

Velroy

Velroy Noronha
Linux Systems Administrator
velroy.noronha@wirecard.com | +971-4-3748-402

Short name

Reviewed by

Confidential & for internal use only

14/06/2016

3 Table of Contents
1

Revision History .............................................................................................................. 2

Information about Author / Editor/Reviewer ................................................................ 2

Table of Contents ........................................................................................................... 3

Purpose of configuring email notification and authentication for root login ................ 3

Scope and Target Audience of this Document ............................................................... 4

Requirements ................................................................................................................. 4

Procedure ....................................................................................................................... 4

Timeline .......................................................................................................................... 9

Post Procedure verification .............................................................................................. 9

4 Purpose of notification and authentication for root login

As a continuous effort to improve security, there is a need to be notified every time any user logs in as
root so that we have a track of which user logged in at what time. And to avoid misuse of sudo access
we need to implement authentication for any user that has the permission to login as root using sudo.

5 Scope and Target Audience of this Procedure

This document is applicable to the systems and security team.

6 Restore requirements
Following are the requirements to go ahead with this implementation.
a. Jira ticket for the change
b. Root access to the server

7 Procedure
1. Login to the server and sudo to root.
2. Check if direct root login has been disabled and encrypted password is put in place.
- If direct root login has not been disabled or encrypted password is not configured, raise a
new Jira ticket to disable direct root login and implement the encrypted password and assign it to the respective owner from the systems team.
Email Notification
3. Get in /root directory or confirm you are in /root directory

4. Take a backup of .bash_profile file with a _DDMMYYYY extension as follows.

5. Edit the .bash_profile using the vi editor and add the following lines at the bottom of the file by
replacing the content marked in red with the respective server name, Server IP and to who all
the email notification needs to be configured. In our case email notification is configured to the
Linux systems team and Abishek from the security team.
#!/bin/bash
function findUser() {
thisPID=$$
origUser=$(whoami)
thisUser=$origUser
while [ "$thisUser" = "$origUser" ]
do
ARR=($(ps h -p$thisPID -ouser,ppid;))
thisUser="${ARR[0]}"

Confidential & for internal use only

15/06/2016

myPPid="${ARR[1]}"
thisPID=$myPPid
done
getent passwd "$thisUser" | cut -d: -f1
}
user=$(findUser)
mail -s "Root Access on wp2rtwo03p(10.11.200.193) on `date` by $user from `who |grep $user|awk '{print $5}'|tail -1`" abishek.s@wirecard.com,wdp.linuxadmin@wirecard.com <<< "ALERT - Root Access on wp2rtwo03p(10.11.200.193) on: `date` by $user from `who |grep $user|sort k1,4|cut -d '(' -f2 |sed -e "s/)/ /g"|tr -d '\n'|awk '{print $NF}'`. The user is currently also logged in from the following hosts :- `who |grep $user|awk '{print $3"
"$4" " $5}'` "

Authentication for sudo access to root

6. Take a backup of /etc/sudoers file with a _DDMMYYYY extension as follows.

7. Edit the /etc/sudoers file with the vi editor, find the following lines, copy the lines and comment
the lines.
Find the below lines
%grpUnixAdmins ALL=(ALL) NOPASSWD: ALL
%grpOraAdmins ALL=(ALL) NOPASSWD: DBADMIN
%grpAppAdmins ALL=(ALL) NOPASSWD: APPADMIN

Comment the lines with a # at the beginning of each of these lines

#%grpUnixAdmins ALL=(ALL) NOPASSWD: ALL
#%grpOraAdmins ALL=(ALL) NOPASSWD: DBADMIN
#%grpAppAdmins ALL=(ALL) NOPASSWD: APPADMIN

Past the following lines below the commented lines

%grpUnixAdmins ALL=(ALL)
%grpOraAdmins ALL=(ALL)
%grpAppAdmins ALL=(ALL)

ALL ,!/usr/bin/sudo su ,!/bin/su ,/bin/su - ,/bin/su - root

DBADMIN
APPADMIN

8. Add the following line below the above added lines

Defaults

lecture = always

Confidential & for internal use only

15/06/2016

8 Activity Time line

Sr No
1
2

Activity
Email notification
Root authentication

Duration
10 mins
10 mins
Total Time 20 mins

9 Verification
Email notification
Open a new ssh session and sudo to root, and check the email notification in the configured email accounts.
Root Authentication
Sudo to root and check if you are prompted for password.
-----------The End-----------

Confidential & for internal use only

15/06/2016