4.1.3.2 Ensure system administrator command executions (sudo) are collected - 64 bit auditctl

Information

sudo provides users with temporary elevated privileges to perform operations. Monitor the administrator with temporary elevated privileges and the operation(s) they performed.

Rationale:

creating an audit log of administrators with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo logfile to verify if unauthorized commands have been executed.

Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:

# awk '/^s*UID_MIN/{print $2}' /etc/login.defs

If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures.

Reloading the auditd config to set active settings may require a system reboot.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules:
Example: vi /etc/audit/rules.d/50-actions.rules
Add the following line:

-a exit,always -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules:
Example: vi /etc/audit/rules.d/50-actions.rules
Add the following lines:

-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions

See Also

https://workbench.cisecurity.org/files/3636