configuring sudosh and sendmail masquerading, as well as working with syslog-ng

Jephe Wu -

Objective: Basically, we’d like to only allow IS staffs to remote ssh into production servers and use sudo sudosh or sudo –u db2inst1 sudosh to switch to root or db2inst1 so that every command including vi keystroke will be logged, at the same time, email will be triggered whenever anyone use sudo to switch to root or db2inst1 user.

Use sudosh2 for accountability, swatch for sending alert out once someone logs in db2inst1 or root. Use openssh allowusers syntax to only allow system administrators to remote ssh.

: RHEL 5 or CentOS 5

1. sudosh2 software installation and configuration

Search google for sudosh2 then download the software sudosh2-1.0.4. Please refer to website
for installation steps which is mentioned on

# tar xvfz sudosh2-1.0.4.tar.gz
# cd sudosh2-1.0.4
# ./configure
# make
# make install
# sudosh

Important: run sudosh command once to create necessary directories first.

configuration file for sudo is at /etc/sudosh.conf

2. visudo
ssh into server and become root as normal
# useradd jephe -c "Jephe Wu"
# passwd jephe
# visudo

add the following to the /etc/sudoers

Cmnd_Alias SUDOSH=/usr/local/bin/sudosh
jephe ALL=(root)SUDOSH, (db2inst1)SUDOSH

Note: Cmnd_Alias line must be on the top of jephe ALL line, otherwise, sudo sudosh doesn't work

Please refer to for sudosh2 configuration and installation

3. ssh configuration

vi /etc/ssh/sshd_config to add the followings:

PermitRootLogin no
Protocol 2
banner /etc/motd.ssh
allowusers jephe anotheruser

then put the security warning message into /etc/motd.ssh

then run 'sshd -t' to test ssh daemon configuration syntax
then run 'service sshd restart' to restart sshd
then run 'ssh localhost' to test it.

4. su configuration
vi /etc/pam.d/su to uncomment the following line to require only members in wheel group are able to su
auth required /lib/security/$ISA/ use_uid

5. Sendmail

For enabling sending email from database server to centralized mail server mailrelay, we need to put the following to the default as follows:

e.g. servername is, we need to masquerade all sender address including envelope address as from to, then deliver it to the centralized mail server mailrelay.

Dnl EXPOSED_USER(`root’)dnl

Then put the following into /etc/mail/mailertable, after that, run
makemap hash /etc/mail/mailertable < /etc/mail/mailertable relay:[mailrelay]

Then put the following into /etc/hosts mailrelay

enable root alias as follows:
add the following line to /etc/alias then run newalias

   1. Note:
      a. no need to give SMART_HOST since we only need to relay to the centralized mailrelay server.
      b. No need to disable only listening on localhost since we only need to send out email, not for receiving.

so, now, any email sending to local user root will be delivered to on the mailrelay server.

6. Swatch
register your redhat subscription using rhn_register (interactive, require to type in username and password for RHN)
or there's no need to register if you are using CentOS 5

install rpmforge rpm from DAG website at ,
rpm -Uvh

put the proxy setting in /etc/yum.conf like

yum install swatch
then the rpm packages will be downloaded at /var/lib/yum and install it

Put the following to /etc/swatch.conf

watchfor /sudo:.*/
mail root,subject=--- DB1 sudo alert! ---

watchfor /su:.*/
mail root,subject=--- DB1 su alert!---

watchfor /login: ROOT LOGIN.*/
mail root,subject=---DB1 console login alert!---

note: must use small letter watchfor , not Watchfor, small letter mail root, not Mail root.
If swatch exits from ps command after a while, use 
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure
to run and try to ssh then check if there's any error.

put the following lines to /etc/rc.local
/usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon

change /etc/logrotate.conf for week 52 to rate a year and compress

configure /etc/logrotate.d/syslog

use the following
/var/log/messages /var/log/mailog /var/log/spooler /var/log/secure /var/log/boot.log /var/log/cron {
/bin/kill –HUP `cat /var/log/ 2> /dev/null` 2> /dev/null true
##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon

finally, run command in /etc/rc.local
/usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon

syslog-ng and swatch standard input
Objective: use syslog-ng default log output file to pipeline to swatch

    * syslog-ng configuration
destination swatch {
program("/usr/bin/swatch -c /etc/swatch.conf --read-pipe=\"cat /dev/fd/0\"");

#send all logs to swatch
log { source(s_sys); destination(swatch); };

    * /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- SERVER1 sudo alert! ---

watchfor /su:.*/
mail root,subject=--- SERVER1 su alert! ---

watchfor /login: ROOT LOGIN.*/
mail root,subject=--- SERVER1 console login alert! ---

1. no need to run swatch as deamon
2. no need to modify /etc/logrotate.d/syslog
3. /dev/fd/0 is different from /dev/fd0 which is floppy disk

Central Loghost Mini-HOWTO at

1. SEC( is better than swatch