Navigate

Check: RHEL-09-654215

RHEL 9 STIG: RHEL-09-654215 (in version v2 r3)

Title

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. (Cat II impact)

Discussion

The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Check Content

Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers" with the following command: $ sudo auditctl -l | grep '/etc/sudoers[^.]' -w /etc/sudoers -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.

Fix Text

Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers -p wa -k identity To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load

Additional Identifiers

Rule ID: SV-258217r1045436_rule

Vulnerability ID: V-258217

Group Title: SRG-OS-000004-GPOS-00004

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000015	Support the management of system accounts using organization-defined automated mechanisms.
CCI-000018	Automatically audit account creation actions.
CCI-000130	Ensure that audit records contain information that establishes what type of event occurred.
CCI-000135	Generate audit records containing the organization-defined additional information that is to be included in the audit records.
CCI-000169	Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components.
CCI-000172	Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
CCI-001403	Automatically audit account modification actions.
CCI-001404	Automatically audit account disabling actions.
CCI-001405	Automatically audit account removal actions.
CCI-002130	Automatically audit account enabling actions.
CCI-002132	The information system notifies organization-defined personnel or roles for account enabling actions.
CCI-002884	Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-2(1)	Automated System Account Management
AC-2(4)	Automated Audit Actions
AU-3	Content of Audit Records
AU-3(1)	Additional Audit Information
AU-12	Audit Generation
MA-4(1)	Auditing and Review