Vulnerability Discussion

Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible.

This auditd policy will watch for and alert the system administrators regarding any modifications to the files within "/etc/sudoers.d/" such as adding privileged users, groups, or commands.

Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Check

Verify AlmaLinux OS 9 generates audit records for all account creations, modifications, disabling, and termination events that affect the files within "/etc/sudoers.d/", with the following command:

$ grep /etc/sudoers.d/ /etc/audit/audit.rules

-w /etc/sudoers.d/ -p wa -k identity

If the command does not return a line or the line is commented out, this is a finding.

Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.

Fix

Configure AlmaLinux OS 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/.

Add the following to the "/etc/audit/rules.d/audit.rules" file:

-w /etc/sudoers.d/ -p wa -k identity

Merge the rules into /etc/audit/audit.rules:

$ augenrules --load

Reboot the server so the changes to take effect.