mediumauditverified ✓rollback-safe
Ensure events that modify the sudo log file are collected
audit-sudo-log · RHEL ≥ 8 · 1 impl
Description
The sudo log file must be monitored for tampering.
Rationale
Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /var/log/sudo.log
Remediateaudit_rule_set
- rule:
- -w /var/log/sudo.log -p wa -k sudo_log
- persist_file:
- /etc/audit/rules.d/50-sudo.rules
Framework references
CIS
rhel9 6.3.3.3rhel10 6.3.3.3rhel8 6.3.3.3
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd