← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit access to /var/log/sudo.log (Ubuntu)

audit-watch-sudo-log · UBUNTU ≥ 22 · 1 impl

Description

Modifications to /var/log/sudo.log must generate an audit record so that administrative (sudo) actions can be traced to an individual.

Rationale

Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /var/log/sudo.log -p wa -k maintenance
Remediateaudit_rule_set
rule:
-w /var/log/sudo.log -p wa -k maintenance
persist_file:
/etc/audit/rules.d/50-watch-sudo-log.rules

Framework references

STIG

V-270740 / UBTU-24-500010V-260649 / UBTU-22-654235

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#watch