Information
Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers or a file in the /etc/sudoers.d directory will be written to when the file or its attributes have changed.
Note: Reloading the auditd config to set active settings may require a system reboot.
Rationale:
Changes in the /etc/sudoers file, or a file in the /etc/sudoers.d/ directory can indicate that an unauthorized change has been made to scope of system administrator activity.
Solution
Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/50-scope.rules
Add the following lines:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
Item Details
Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE
References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-12c., 800-53|MA-4(1)(a), CCI|CCI-000130, CCI|CCI-000135, CCI|CCI-000172, CCI|CCI-002884, CSCv7|4.8, CSCv7|6.2, Rule-ID|SV-204549r603261_rule, STIG-ID|RHEL-07-030700
Control ID: 44da8cb1108fa2ca89de45da66efed03d526bc48df447d9e78c49a0794b5c3d1