← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282353

CAT II (Medium)

TOSS 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.

Rule ID

SV-282353r1200039_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000018 CCI-000130 CCI-000135 CCI-000169 CCI-001403 CCI-001404 CCI-001405 CCI-002130 CCI-000015 CCI-002884 CCI-000172

Discussion

The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221

Check Content

Verify TOSS 5 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" using the following command:

$ sudo auditctl -l | grep /etc/sudoers

-w /etc/sudoers -p wa -k identity

If the command does not return a line or the line is commented out, this is a finding.

Fix Text

Configure TOSS 5 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".

Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":

-w /etc/sudoers -p wa -k identity

Restart the audit daemon for the changes to take effect.