Information
Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers or files in /etc/sudoers.d will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".
Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity.
Solution
Edit or create a file in the /etc/audit/rules.d/ directory, ending inrules extension, with the relevant rules to monitor scope changes for system administrators.
Example:
# printf '%s
' "-w /etc/sudoers -p wa -k scope" "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/50-scope.rules
Merge and load the rules into active configuration:
# augenrules --load
Check if reboot is required.
# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules
"; fi