mediumauditverified ✓✓rollback-safe
Audit access to /var/log/sudo.log (Ubuntu)
audit-watch-sudo-log · UBUNTU ≥ 22 · 1 impl
Description
Modifications to /var/log/sudo.log must generate an audit record so that administrative (sudo) actions can be traced to an individual.
Rationale
Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /var/log/sudo.log -p wa -k maintenance
Remediateaudit_rule_set
- rule:
- -w /var/log/sudo.log -p wa -k maintenance
- persist_file:
- /etc/audit/rules.d/50-watch-sudo-log.rules
Framework references
STIG
V-270740 / UBTU-24-500010V-260649 / UBTU-22-654235
NIST 800-53
AU-2AU-12
Live verification
ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#watch