Information
The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
Solution
Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect '/etc/sudoers.d/'.
Add or update the following file system rule to '/etc/audit/rules.d/audit.rules':
-w /etc/sudoers.d/ -p wa -k identity
The audit daemon must be restarted for the changes to take effect.
$ sudo service auditd restart
Item Details
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE
References: 800-53|AC-2(1), 800-53|AC-2(4), 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-12a., 800-53|AU-12c., 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000015, CCI|CCI-000018, CCI|CCI-000130, CCI|CCI-000135, CCI|CCI-000169, CCI|CCI-000172, CCI|CCI-001403, CCI|CCI-001404, CCI|CCI-001405, CCI|CCI-002130, CCI|CCI-002132, CCI|CCI-002884, Rule-ID|SV-258218r1015129_rule, STIG-ID|RHEL-09-654220, Vuln-ID|V-258218
Control ID: 2d2b8ae308f8d19ed0510e1b81561e21c39babffc5157f194497215f457afb7d