4.1.16 Ensure changes to system administration scope (sudoers) is collected - /etc/sudoers

Information

Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier 'scope.'

Rationale:

Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.

Solution

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope

Notes:

Reloading the auditd config to set active settings may require a system reboot.

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72163

Rule ID: SV-86787r5_rule

STIG ID: RHEL-07-030700

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|4.8, CSCv7|6.3

Plugin: Unix

Control ID: 66b59ad03e40abffaaeeae2298bc642f3f4d2f1ab6ac69b5e5a7ed18ef5709b2