Skip to content

4.1.3.1 Ensure changes to system administration scope (sudoers) is collected

Audit#

Run the following command to check the on disk rules: 

# awk '/^ *-w/ \
&&/\/etc\/sudoers/ \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules

Verify the output matches: 

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

Running configuration

Run the following command to check loaded rules: 

# auditctl -l | awk '/^ *-w/ \
&&/\/etc\/sudoers/ \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'

Verify the output matches: 

-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope

Remediation#

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators.

Example: 

# printf "
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
" >> /etc/audit/rules.d/50-scope.rules

Merge and load the rules into active configuration: 

# augenrules --load

Check if reboot is required. 

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi