mediumauditverified ✓rollback-safe
Audit uses of the sudoedit command
audit-cmd-sudoedit · RHEL ≥ 9 · 1 impl
Description
All uses of the sudoedit command must be audited. The sudoedit command allows editing files with elevated privileges.
Rationale
Auditing sudoedit usage allows detection of privileged file modifications that could indicate configuration tampering.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281142 / RHEL-10-500560V-258205 / RHEL-09-654155
NIST 800-53
AU-2AU-12
Live verification
rhel9:check
#audit#auditd#privileged#sudo