mediumauditunverified
Audit changes to /etc/sudoers
audit-sudoers-rhel8 · RHEL ≥ 8 · 1 impl
Description
The audit system must record write and attribute changes to /etc/sudoers so that modifications to the sudo privilege policy are attributable.
Rationale
/etc/sudoers grants elevated privilege; an unaudited change to it can silently widen who can act as root. Watching it for write/attribute changes preserves accountability.
Check → Remediate
Checkcommand
if auditctl -l 2>/dev/null | grep -Eq -- '-w[[:space:]]+/etc/sudoers[[:space:]]+-p[[:space:]]+wa'; then echo "OK: /etc/sudoers is watched for write/attribute changes" exit 0 fi echo "FAIL: no '-w /etc/sudoers -p wa' audit watch loaded" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -w /etc/sudoers -p wa -k identity
Framework references
STIG
V-258217 / RHEL-09-654215V-230409 / RHEL-08-030171
NIST 800-53
AU-12AC-6
#audit#sudoers#identity#stig