Profile Applicability:
Level 2
Description:
Changes to the sudoers file or system administration scope define who has elevated privileges on the system. Auditing modifications to these files helps track unauthorized or unexpected privilege escalations, which are critical for system security.
Rationale:
Monitoring changes to sudoers ensures accountability and reduces the risk of privilege abuse. Unauthorized changes can lead to system compromise or data breaches.
Impact:
Pros:
Provides traceability of administrative privilege changes
Supports security incident investigations
Enhances compliance with least privilege policies
Cons:
May generate additional audit logs requiring review
Default Value:
By default, audit rules may not cover the sudoers file.
Pre-requisites:
auditdinstalled and runningRoot or
sudoaccess required
Test Plan:
Using Linux Command Line:
Check for existing audit rules monitoring the sudoers file:
auditctl -l | grep sudoers
Review audit rules configuration files:
grep sudoers /etc/audit/rules.d/*
Implementation Plan:
Using Linux Command Line:
Add audit rules to monitor changes to the sudoers file and directory:
auditctl -w /etc/sudoers -p wa -k scope_changes auditctl -w /etc/sudoers.d/ -p wa -k scope_changes
To persist these rules, add the following lines to
/etc/audit/rules.d/audit.rules:-w /etc/sudoers -p wa -k scope_changes -w /etc/sudoers.d/ -p wa -k scope_changes
Restart auditd service:
systemctl restart auditd
Backout Plan:
Using Linux Command Line:
Remove the audit rules monitoring sudoers:
auditctl -W /etc/sudoers -p wa -k scope_changes auditctl -W /etc/sudoers.d/ -p wa -k scope_changes
Remove the lines from
/etc/audit/rules.d/audit.rulesRestart auditd service:
systemctl restart auditd
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Rule Documentation
NIST SP 800-53 Revision 5 - AU-6