mediumauditverified ✓rollback-safe
Audit uses of the sudo command
audit-cmd-sudo · RHEL ≥ 8 · 1 impl
Description
All uses of the sudo command must be audited. The sudo command allows privilege escalation to run commands as other users.
Rationale
Auditing sudo command usage is critical for detecting privilege escalation and tracking privileged command execution.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281141 / RHEL-10-500550V-258204 / RHEL-09-654150V-230462
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#sudo