4.1.16 Ensure system administrator actions (sudolog) are collected
Information
Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.
Solution
Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions