4.1.17 Ensure system administrator actions (sudolog) are collected - auditctl


Monitor the sudo log file. If the system has been properly configured to disable the use of
the su command and force all administrators to have to log in first and then use sudo to
execute privileged commands, then all administrator commands will be logged to
/var/log/sudo.log . Any time a command is executed, an audit event will be triggered as
the /var/log/sudo.log file will be opened for write and the executed administration
command will be written to the log.


Changes in /var/log/sudo.log indicate that an administrator has executed a command or
the log file itself has been tampered with. Administrators will want to correlate the events
written to the audit trail with the records written to /var/log/sudo.log to verify if
unauthorized commands have been executed.


Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-w /var/log/sudo.log -p wa -k actions


The system must be configured with sudisabled (See Item 5.6 Ensure access to the su
command is restricted) to force all command execution through sudo. This will not be
effective on the console, as administrators can log in as root.

Reloading the auditd config to set active settings may require a system reboot.

See Also