← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the sudoedit command

audit-cmd-sudoedit · RHEL ≥ 9 · 1 impl

Description

All uses of the sudoedit command must be audited. The sudoedit command allows editing files with elevated privileges.

Rationale

Auditing sudoedit usage allows detection of privileged file modifications that could indicate configuration tampering.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281142 / RHEL-10-500560V-258205 / RHEL-09-654155

NIST 800-53

AU-2AU-12

Live verification

rhel9:check
#audit#auditd#privileged#sudo