4.1.16 Ensure system administrator actions (sudolog) are collected - auditctl

Information

Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed.

Solution

Add the following lines to the /etc/audit/audit.rules file:
-w /var/log/sudo.log -p wa -k actions

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|5.1, CSCv6|5.5

Plugin: Unix

Control ID: 19d7d174c2d5ec83e740b10e059ed64b29e24694b0b7fa0170e196aeeb3426c8