6.1.2 Ensure sudo logging is active

Information

All commands executed via sudo should be logged to either syslog (default) or a dedicated log file

Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks or parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

Logging of commands executed via sudo enables auditing of those commands

Solution

Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f <PATH TO FILE>

Remove the any lines which are found containing

syslog_badpri=none

or

syslog_goodpri=none

-OR-

If you do not want to log sudo commands to syslog, to use as sudo specific log file add the following line:

Defaults logfile="<PATH TO CUSTOM LOG FILE>"

Example:

Defaults logfile="/var/log/sudo.log"

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12

Plugin: Unix

Control ID: ca0a70abb5e5f5071c1a38f3b15dee582f31b11471868a2330d433086a9e8bb6