← Rules Catalog
mediumauditunverified

Audit changes to /etc/sudoers

audit-sudoers-rhel8 · RHEL ≥ 8 · 1 impl

Description

The audit system must record write and attribute changes to /etc/sudoers so that modifications to the sudo privilege policy are attributable.

Rationale

/etc/sudoers grants elevated privilege; an unaudited change to it can silently widen who can act as root. Watching it for write/attribute changes preserves accountability.

Check → Remediate

Checkcommand
if auditctl -l 2>/dev/null | grep -Eq -- '-w[[:space:]]+/etc/sudoers[[:space:]]+-p[[:space:]]+wa'; then
  echo "OK: /etc/sudoers is watched for write/attribute changes"
  exit 0
fi
echo "FAIL: no '-w /etc/sudoers -p wa' audit watch loaded"
exit 1
expected_exit:
0
Remediatemanual
note:
Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -w /etc/sudoers -p wa -k identity

Framework references

STIG

V-258217 / RHEL-09-654215V-230409 / RHEL-08-030171

NIST 800-53

AU-12AC-6
#audit#sudoers#identity#stig