← Rules Catalog
mediumauditverified rollback-safe

Ensure events that modify the sudo log file are collected

audit-sudo-log · RHEL ≥ 8 · 1 impl

Description

The sudo log file must be monitored for tampering.

Rationale

Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /var/log/sudo.log
Remediateaudit_rule_set
rule:
-w /var/log/sudo.log -p wa -k sudo_log
persist_file:
/etc/audit/rules.d/50-sudo.rules

Framework references

CIS

rhel9 6.3.3.3rhel10 6.3.3.3rhel8 6.3.3.3

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd