Profile Applicability:
Level 2
Description:
The audit system should log all instances where users perform actions as another user, such as using sudo or su commands. Capturing these events provides accountability and helps detect unauthorized privilege escalations or misuse of elevated access.
Rationale:
Logging actions performed as another user supports security monitoring, forensic investigations, and compliance requirements. Without such logs, it becomes difficult to track who performed critical administrative actions.
Impact:
Pros:
Improves traceability of privilege escalation activities
Supports incident response and auditing
Enhances compliance with security policies
Cons:
Generates additional audit records requiring review and storage
Default Value:
Audit rules for sudo or su commands are not always present by default.
Pre-requisites:
auditdinstalled and runningRoot or
sudoprivileges to add audit rules
Test Plan:
Using Linux Command Line:
Check existing audit rules for
sudoandsucommands:auditctl -l | grep -E 'sudo|su'
Review audit rules configuration files:
grep -E 'sudo|su' /etc/audit/rules.d/*
Implementation Plan:
Using Linux Command Line:
Add audit rules to monitor execution of
sudoandsu:auditctl -w /usr/bin/sudo -p x -k actions_as_another_user auditctl -w /usr/bin/su -p x -k actions_as_another_user
To make these rules persistent, add the following lines to
/etc/audit/rules.d/audit.rules:-w /usr/bin/sudo -p x -k actions_as_another_user -w /usr/bin/su -p x -k actions_as_another_user
Restart auditd service:
systemctl restart auditd
Backout Plan:
Using Linux Command Line:
Remove the audit rules monitoring
sudoandsu:auditctl -W /usr/bin/sudo -p x -k actions_as_another_user auditctl -W /usr/bin/su -p x -k actions_as_another_user
Remove the lines from
/etc/audit/rules.d/audit.rulesRestart auditd service:
systemctl restart auditd
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Rule Documentation
NIST SP 800-53 Revision 5 - AU-6