RHEL-10-500680 - RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

Information

The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the "sudoers" file may be sign of an attacker trying to establish persistent methods to a system. Auditing the editing of the "sudoers" files mitigates this risk.

Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Solution

Configure RHEL 10 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":

-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=logins
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=logins

Restart the audit daemon with the following command for the changes to take effect:

$ sudo service auditd restart

Item Details

Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE

Plugin: Unix

Control ID: debbe6097ee806efcad43fa9af84cd0232dd2e6f0fd94c8577bc882d414bb2bd

Detections

Analytics

RHEL-10-500680 - RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

Information

Solution

See Also

Item Details