Check: RHEL-09-654220
RHEL 9 STIG:
RHEL-09-654220
(in versions v1 r3 through v1 r1)
Title
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. (Cat II impact)
Discussion
The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
Check Content
Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: $ sudo auditctl -l | grep /etc/sudoers.d -w /etc/sudoers.d/ -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix Text
Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers.d/ -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Additional Identifiers
Rule ID: SV-258218r926641_rule
Vulnerability ID: V-258218
Group Title: SRG-OS-000004-GPOS-00004
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000018 |
The information system automatically audits account creation actions. |
| CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| CCI-001403 |
The information system automatically audits account modification actions. |
| CCI-001404 |
The information system automatically audits account disabling actions. |
| CCI-001405 |
The information system automatically audits account removal actions. |
| CCI-002130 |
The information system automatically audits account enabling actions. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
| CCI-002884 |
The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events. |