Ensure auditd Collects System Administrator Actions

Description

At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

Rationale

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_fix_audit_watch_rule" use="legacy"/>
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"