Detections
Analytics
6.3.3.1 Ensure modification of the /etc/sudoers file is collected
Information
Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity.
Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
Solution
Note:- The -w option is deprecated and the rule should be updated in accordance with the Remediation Procedure.
- For best performance, the arch field should be supplied in the rule. The individual permissions will cause the selection of specific system calls that use that kind of access. Not supplying the arch will cause the selection of all system calls which will affect performance as all system calls will be evaluated.
- Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators.
Example:
# printf '%s\n' "
-a always,exit -F arch=b64 -S all -F path=/etc/sudoers -F perm=wa -F key=scope
-a always,exit -F arch=b64 -S all -F dir=/etc/sudoers.d -F perm=wa -F key=scope
" >> /etc/audit/rules.d/50-scope.rules
- Merge and load the rules into active configuration:
# augenrules --load
- Check if reboot is required:
# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
See Also
Item Details
Audit Name: CIS Rocky Linux 10 v1.0.0 L2 Server
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12a., CCI|CCI-002884, CSCv7|4.8, Rule-ID|SV-230409r627750_rule, Rule-ID|SV-230410r627750_rule, Rule-ID|SV-258217r1045436_rule, Rule-ID|SV-258218r1045439_rule, Rule-ID|SV-260646r991575_rule, Rule-ID|SV-260647r991575_rule, Rule-ID|SV-269129r1050011_rule, Rule-ID|SV-269135r1050017_rule, Rule-ID|SV-270807r1066910_rule, Rule-ID|SV-270808r1067100_rule, STIG-ID|ALMA-09-004970, STIG-ID|ALMA-09-006070, STIG-ID|RHEL-08-030171, STIG-ID|RHEL-08-030172, STIG-ID|RHEL-09-654215, STIG-ID|RHEL-09-654220, STIG-ID|UBTU-22-654220, STIG-ID|UBTU-22-654225, STIG-ID|UBTU-24-900510, STIG-ID|UBTU-24-900520
Plugin: Unix
Control ID: 7044185d0f54731353349199c1c810f7dcadc4be188205f6e0f3e83c1b732c44