4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers

Information

Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier 'scope'.

Rationale:

Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity.

Solution

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators.
Example:

# printf '
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
' >> /etc/audit/rules.d/50-scope.rules

Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules
'; fi

Additional Information:

Potential reboot required

If the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.

System call structure

For performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.

See Also

https://workbench.cisecurity.org/files/4068