Ensure auditd Collects System Administrator Actions
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd
daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules
in the directory
/etc/audit/rules.d
:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules
file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_fix_audit_watch_rule" use="legacy"/>
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"