Profile Applicability:
Level 2
Description:
The sudo log file contains records of commands run with elevated privileges. Monitoring modifications to this file ensures that any unauthorized changes or tampering attempts are detected promptly, preserving the integrity of audit trails.
Rationale:
Collecting events that modify the sudo log file helps maintain the trustworthiness of audit records, supports forensic investigations, and ensures compliance with security policies.
Impact:
Pros:
Detects unauthorized modification or deletion of sudo logs
Supports security incident detection and investigation
Enhances compliance and accountability
Cons:
May generate additional audit records that require monitoring
Default Value:
Audit rules may not be configured by default to monitor the sudo log file.
Pre-requisites:
auditdinstalled and runningRoot or
sudoprivileges
Test Plan:
Using Linux Command Line:
Check if audit rules exist for the sudo log file (e.g.,
/var/log/sudo.logor/var/log/secure):auditctl -l | grep sudo
Review audit rules configuration files:
grep sudo /etc/audit/rules.d/*
Implementation Plan:
Using Linux Command Line:
Add audit rule to watch the sudo log file (example for
/var/log/secure):auditctl -w /var/log/secure -p wa -k sudo_log_modifications
To persist the rule, add the following line to
/etc/audit/rules.d/audit.rules:-w /var/log/secure -p wa -k sudo_log_modifications
Restart the auditd service:
systemctl restart auditd
Backout Plan:
Using Linux Command Line:
Remove the audit rule monitoring the sudo log file:
auditctl -W /var/log/secure -p wa -k sudo_log_modifications
Remove the corresponding line from
/etc/audit/rules.d/audit.rulesRestart the auditd service:
systemctl restart auditd
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Rule Documentation
NIST SP 800-53 Revision 5 - AU-6