← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit access to /etc/sudoers (Ubuntu)

audit-watch-sudoers · UBUNTU ≥ 22 · 1 impl

Description

Modifications to /etc/sudoers must generate an audit record so that changes to sudo privileges can be traced to an individual.

Rationale

Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /etc/sudoers -p wa -k privilege_modification
Remediateaudit_rule_set
rule:
-w /etc/sudoers -p wa -k privilege_modification
persist_file:
/etc/audit/rules.d/50-watch-sudoers.rules

Framework references

STIG

V-270807 / UBTU-24-900510V-260646 / UBTU-22-654220

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#watch