Why I Set Email Alerts for Every New User Added to My Linux Server (And How You Can Too)

Intro:
New users being added to a server may seem harmless — especially if you’re managing it solo. But on a shared or internet-facing server, this can be the first sign of a breach. I learned this the hard way after noticing strange sudo activity from a user I never created. Here’s how I now monitor all user creations and how you can set up real-time email alerts on both Ubuntu and Red Hat.

1. Why You Should Care About New Users

A newly created user with sudo access can:

• Install malware
• Pivot into lateral movement
• Hide activity using rootkits

Even without sudo, attackers use fake users for persistence — so catching it early is key.

2. Monitor /etc/passwd in Real Time Using auditd

Install auditd:

# Ubuntu
sudo apt install auditd -y

# Red Hat
sudo yum install audit -y

Create an audit rule:

sudo auditctl -w /etc/passwd -p wa -k useradd-watch

This tells the system to watch for writes/appends to /etc/passwd.