← Rules Catalog
mediumauditunverified

Audit write/attribute changes to /etc/sudoers.d/ (RHEL 10)

audit-sudoers-d-write-rhel10 · RHEL ≥ 10 · 1 impl

Description

On RHEL 10, record write and attribute changes to /etc/sudoers.d/ via the syscall-form audit rule (RHEL 10 deprecated the legacy -w watch form).

Rationale

Auditing changes to sudo privilege drop-in files supports detection of unauthorized modification and forensic reconstruction.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/etc/sudoers.d/ -F perm=wa
Remediatemanual
note:
Add `-a always,exit -F arch=b64 -F path=/etc/sudoers.d/ -F perm=wa -k identity` (and the b32 form) to /etc/audit/rules.d/ and augenrules --load.

Framework references

STIG

V-281155 / RHEL-10-500690

NIST 800-53

AU-12AC-6
#audit#sudoers-d#stig