AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

An XCCDF Rule

Description

Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd policy will watch for and alert the system administrators regarding any modifications to the files within "/etc/sudoers.d/" such as adding privileged users, groups, or commands. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

ID: SV-269135r1050017_rule
Version: ALMA-09-006070
Severity: Medium
References: CCI-000015 CCI-000018 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130 CCI-002884
Updated: about 2 months ago

Remediation Templates

Configure AlmaLinux OS 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/.

Add the following to the "/etc/audit/rules.d/audit.rules" file:

-w /etc/sudoers.d/ -p wa -k identity
Merge the rules into /etc/audit/audit.rules:

$ augenrules --load

Reboot the server so the changes to take effect.

AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

Description

Remediation Templates

A Manual Procedure