← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the sudo command

audit-cmd-sudo · RHEL ≥ 8 · 1 impl

Description

All uses of the sudo command must be audited. The sudo command allows privilege escalation to run commands as other users.

Rationale

Auditing sudo command usage is critical for detecting privilege escalation and tracking privileged command execution.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281141 / RHEL-10-500550V-258204 / RHEL-09-654150V-230462

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#sudo