1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
documentation_complete: true
title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers'
description: |-
At a minimum, the audit system should collect administrator actions
for all users and root.
{{{ describe_audit_rules_watch("/etc/sudoers", "actions") }}}
rationale: |-
The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Editing the sudoers file may be sign of an attacker trying to
establish persistent methods to a system, auditing the editing of the sudoers
files mitigates this risk.
severity: medium
identifiers:
cce@rhel8: CCE-90175-1
cce@rhel9: CCE-90176-9
cce@rhel10: CCE-88688-7
references:
srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000503-CTR-001275
stigid@ol8: OL08-00-030171
ocil_clause: 'the command does not return a line, or the line is commented out'
ocil: |-
{{{ ocil_audit_rules_watch("/etc/sudoers", "actions") }}}
fixtext: '{{{ fixtext_audit_file_watch_rule("/etc/sudoers", "actions", "/etc/audit/rules.d/audit.rules") }}}'
srg_requirement: '{{{ srg_requirement_audit_file_watch_rule("/etc/sudoers") }}}'
template:
name: audit_rules_watch
vars:
path: /etc/sudoers
key: actions
|
