mediumauditunverified
Audit changes to /etc/sudoers.d
audit-sudoers-d-rhel8 · RHEL ≥ 8 · 1 impl
Description
The audit system must record write and attribute changes to the /etc/sudoers.d directory so that modifications to drop-in sudo policy files are attributable.
Rationale
Drop-in files under /etc/sudoers.d carry the same privilege weight as /etc/sudoers; an unaudited change there can silently grant root-equivalent access. Watching the directory preserves accountability.
Check → Remediate
Checkcommand
if auditctl -l 2>/dev/null | grep -Eq -- '-w[[:space:]]+/etc/sudoers\.d/?[[:space:]]+-p[[:space:]]+wa'; then echo "OK: /etc/sudoers.d is watched for write/attribute changes" exit 0 fi echo "FAIL: no '-w /etc/sudoers.d -p wa' audit watch loaded" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -w /etc/sudoers.d -p wa -k identity
Framework references
STIG
V-258218 / RHEL-09-654220V-230410 / RHEL-08-030172
NIST 800-53
AU-12AC-6
#audit#sudoers#identity#stig