highauditverified ✓rollback-safe
Ensure changes to system administration scope (sudoers) is collected
audit-sudoers · RHEL ≥ 8 · 1 impl
Description
Changes to sudoers files must be audited to detect privilege escalation attempts.
Rationale
Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /etc/sudoers
Remediateaudit_rule_set
- rule:
- -w /etc/sudoers -p wa -k scope
- persist_file:
- /etc/audit/rules.d/50-scope.rules
Framework references
CIS
rhel8 6.3.3.1rhel9 6.3.3.1
NIST 800-53
AU-2AU-12AC-6
Live verification
rhel8:checkrhel9:check
#audit#auditd#sudo#privilege-escalation