Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
An XCCDF Rule
Description
At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd
daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules
in the directory
/etc/audit/rules.d
:
-w /etc/sudoers.d/ -p wa -k actionsIf the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules
file:
-w /etc/sudoers.d/ -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
- Severity
- Medium
- References
-
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000062-GPOS-00031
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
SRG-OS-000462-GPOS-00206
SRG-OS-000466-GPOS-00210
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000476-GPOS-00221
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- audit_rules_sudoers_d
- low_complexity