4.1.15 Ensure changes to system administration scope (sudoers) is collected - /etc/sudoers.d

Information

Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.

Solution

Add the following line to the /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k scope-w /etc/sudoers.d -p wa -k scope

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|5.4

Plugin: Unix

Control ID: 85ace9e9c49f606738a9d2921ea3378b20428262077d950841b1c8597cf4a8f4