← Rules Catalog
highauditverified rollback-safe

Ensure changes to system administration scope (sudoers) is collected

audit-sudoers · RHEL ≥ 8 · 1 impl

Description

Changes to sudoers files must be audited to detect privilege escalation attempts.

Rationale

Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /etc/sudoers
Remediateaudit_rule_set
rule:
-w /etc/sudoers -p wa -k scope
persist_file:
/etc/audit/rules.d/50-scope.rules

Framework references

CIS

rhel8 6.3.3.1rhel9 6.3.3.1

NIST 800-53

AU-2AU-12AC-6

Live verification

rhel8:checkrhel9:check
#audit#auditd#sudo#privilege-escalation