Profile Applicability:
• Level 1
Description:
The sudo log file captures all commands executed with elevated privileges, providing critical audit information. Ensuring the log file exists supports monitoring and forensic analysis of privileged actions.
Rationale:
Maintaining a dedicated sudo log file improves accountability, aids in security incident investigations, and helps meet compliance requirements
Impact:
Pros:
Provides comprehensive audit trails for sudo commands.
Supports detection of unauthorized privilege use.
Cons:
Requires proper log management and protection to prevent tampering.
Default Value:
Depending on system configuration, sudo logs may be directed to syslog or a specific log file.
Pre-requisites:
Root or sudo privileges to verify and configure sudo logging.
Remediation:
Test Plan:
Using Linux command line:
Check sudoers configuration for logging directives:
sudo grep -i logfile /etc/sudoers /etc/sudoers.d/*
Identify the configured log file path or logging facility.
Verify the log file exists and has appropriate permissions:
ls -l /var/log/sudo.log
(Adjust path if different.)
Implementation Plan:
Using Linux command line:
If the log file does not exist, create it and set ownership and permissions:
touch /var/log/sudo.log chown root:root /var/log/sudo.log chmod 600 /var/log/sudo.log
Ensure sudoers file contains the logging directive, for example:
Defaults logfile="/var/log/sudo.log"
Restart syslog or rsyslog service if necessary to apply changes.
Backout Plan:
Using Linux command line:
Remove or comment out the logging directive in sudoers if required.
Delete the sudo log file if no longer needed.
Restart syslog or rsyslog service.
References: