← Rules Catalog
mediumauditunverified

Audit changes to /etc/sudoers.d

audit-sudoers-d-rhel8 · RHEL ≥ 8 · 1 impl

Description

The audit system must record write and attribute changes to the /etc/sudoers.d directory so that modifications to drop-in sudo policy files are attributable.

Rationale

Drop-in files under /etc/sudoers.d carry the same privilege weight as /etc/sudoers; an unaudited change there can silently grant root-equivalent access. Watching the directory preserves accountability.

Check → Remediate

Checkcommand
if auditctl -l 2>/dev/null | grep -Eq -- '-w[[:space:]]+/etc/sudoers\.d/?[[:space:]]+-p[[:space:]]+wa'; then
  echo "OK: /etc/sudoers.d is watched for write/attribute changes"
  exit 0
fi
echo "FAIL: no '-w /etc/sudoers.d -p wa' audit watch loaded"
exit 1
expected_exit:
0
Remediatemanual
note:
Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -w /etc/sudoers.d -p wa -k identity

Framework references

STIG

V-258218 / RHEL-09-654220V-230410 / RHEL-08-030172

NIST 800-53

AU-12AC-6
#audit#sudoers#identity#stig