configuring sudosh and sendmail masquerading, as well as working with syslog-ng

Jephe Wu - http://linuxtechres.blogspot.com

Objective: Basically, we’d like to only allow IS staffs to remote ssh into production servers and use sudo sudosh or sudo –u db2inst1 sudosh to switch to root or db2inst1 so that every command including vi keystroke will be logged, at the same time, email will be triggered whenever anyone use sudo to switch to root or db2inst1 user.

Use sudosh2 for accountability, swatch for sending alert out once someone logs in db2inst1 or root. Use openssh allowusers syntax to only allow system administrators to remote ssh.

Environment
: RHEL 5 or CentOS 5


Steps:
1. sudosh2 software installation and configuration


Search google for sudosh2 then download the software sudosh2-1.0.4. Please refer to website
http://www.shortcutsolutions.net/sudosh2-software/55-introduction-sudosh2-user-shell-auditing.html
for installation steps which is mentioned on http://sourceforge.net/projects/sudosh2/

# tar xvfz sudosh2-1.0.4.tar.gz
# cd sudosh2-1.0.4
# ./configure
# make
# make install
# sudosh

Important: run sudosh command once to create necessary directories first.

configuration file for sudo is at /etc/sudosh.conf

2. visudo
ssh into server and become root as normal
# useradd jephe -c "Jephe Wu"
# passwd jephe
# visudo


add the following to the /etc/sudoers

Cmnd_Alias SUDOSH=/usr/local/bin/sudosh
jephe ALL=(root)SUDOSH, (db2inst1)SUDOSH



Note: Cmnd_Alias line must be on the top of jephe ALL line, otherwise, sudo sudosh doesn't work


Please refer to http://www.shortcutsolutions.net/sudosh2-shell-auditing-software/89-configuration-of-sudosh2.html for sudosh2 configuration and installation

3. ssh configuration

vi /etc/ssh/sshd_config to add the followings:

PermitRootLogin no
Protocol 2
banner /etc/motd.ssh
allowusers jephe anotheruser


then put the security warning message into /etc/motd.ssh

then run 'sshd -t' to test ssh daemon configuration syntax
then run 'service sshd restart' to restart sshd
then run 'ssh localhost' to test it.

4. su configuration
vi /etc/pam.d/su to uncomment the following line to require only members in wheel group are able to su
auth required /lib/security/$ISA/pam_wheel.so use_uid

5. Sendmail

For enabling sending email from database server to centralized mail server mailrelay, we need to put the following to the default sendmail.mc as follows:

e.g. servername is server.domain.com, we need to masquerade all sender address including envelope address as from root@server.domain.com to root@newdomain.com, then deliver it to the centralized mail server mailrelay.

Dnl EXPOSED_USER(`root’)dnl
MASQUERADE_AS(newdomain.com’)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(loclahost.localdomain)dnl
MASQUERADE_DOMAIN(domain.com)dnl


Then put the following into /etc/mail/mailertable, after that, run
makemap hash /etc/mail/mailertable < /etc/mail/mailertable

newdomain.com relay:[mailrelay]

Then put the following into /etc/hosts
10.0.0.1 mailrelay

enable root alias as follows:
add the following line to /etc/alias then run newalias
root: jephe_wu@newdomain.com

   1. Note:
      a. no need to give SMART_HOST since we only need to relay newdomain.com to the centralized mailrelay server.
      b. No need to disable only listening on localhost since we only need to send out email, not for receiving.

so, now, any email sending to local user root will be delivered to jephe_wu@newdomain.com on the mailrelay server.

6. Swatch
register your redhat subscription using rhn_register (interactive, require to type in username and password for RHN)
or there's no need to register if you are using CentOS 5

install rpmforge rpm from DAG website at http://dag.wieers.com/rpm/FAQ.php#B ,
wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -Uvh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

put the proxy setting in /etc/yum.conf like
proxy=http://10.0.0.1:3128

yum install swatch
then the rpm packages will be downloaded at /var/lib/yum and install it

Put the following to /etc/swatch.conf

watchfor /sudo:.*/
mail root,subject=--- DB1 sudo alert! ---


watchfor /su:.*/
mail root,subject=--- DB1 su alert!---


watchfor /login: ROOT LOGIN.*/
mail root,subject=---DB1 console login alert!---


note: must use small letter watchfor , not Watchfor, small letter mail root, not Mail root.
If swatch exits from ps command after a while, use 
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure
to run and try to ssh then check if there's any error.



put the following lines to /etc/rc.local
/usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon

change /etc/logrotate.conf for week 52 to rate a year and compress

configure /etc/logrotate.d/syslog

use the following
/var/log/messages /var/log/mailog /var/log/spooler /var/log/secure /var/log/boot.log /var/log/cron {
sharedscripts
potstrotate
/bin/kill –HUP `cat /var/log/syslogd.pid 2> /dev/null` 2> /dev/null true
##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
###end#####
endscript
}


finally, run command in /etc/rc.local
/usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon

===========
syslog-ng and swatch standard input
Objective: use syslog-ng default log output file to pipeline to swatch

    * syslog-ng configuration
destination swatch {
program("/usr/bin/swatch -c /etc/swatch.conf --read-pipe=\"cat /dev/fd/0\"");
};

#send all logs to swatch
log { source(s_sys); destination(swatch); };



    * /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- SERVER1 sudo alert! ---

watchfor /su:.*/
mail root,subject=--- SERVER1 su alert! ---

watchfor /login: ROOT LOGIN.*/
mail root,subject=--- SERVER1 console login alert! ---



note:
1. no need to run swatch as deamon
2. no need to modify /etc/logrotate.d/syslog
3. /dev/fd/0 is different from /dev/fd0 which is floppy disk



References:
Central Loghost Mini-HOWTO at http://www.campin.net/newlogcheck.html

note:
1. SEC(http://www.estpak.ee/~risto/sec/) is better than swatch