Rule ID
SV-269135r1050017_rule
Version
V1R6
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd policy will watch for and alert the system administrators regarding any modifications to the files within "/etc/sudoers.d/" such as adding privileged users, groups, or commands. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
Verify AlmaLinux OS 9 generates audit records for all account creations, modifications, disabling, and termination events that affect the files within "/etc/sudoers.d/", with the following command: $ grep /etc/sudoers.d/ /etc/audit/audit.rules -w /etc/sudoers.d/ -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.
Configure AlmaLinux OS 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/. Add the following to the "/etc/audit/rules.d/audit.rules" file: -w /etc/sudoers.d/ -p wa -k identity Merge the rules into /etc/audit/audit.rules: $ augenrules --load Reboot the server so the changes to take effect.