{"description": "At a minimum, the audit system should collect administrator actions\nfor all users and root.\n\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /etc/sudoers.d/ -p wa -k actions</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /etc/sudoers.d/ -p wa -k actions</pre>", "rationale": "The actions taken by system administrators should be audited to keep a record\nof what was executed on the system, as well as, for accountability purposes.\nEditing the sudoers file may be sign of an attacker trying to\nestablish persistent methods to a system, auditing the editing of the sudoers\nfiles mitigates this risk.", "severity": "medium", "references": {"srg": ["SRG-OS-000004-GPOS-00004", "SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000304-GPOS-00121", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000470-GPOS-00214", "SRG-OS-000471-GPOS-00215", "SRG-OS-000239-GPOS-00089", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000466-GPOS-00210", "SRG-OS-000476-GPOS-00221", "SRG-APP-000495-CTR-001235", "SRG-APP-000499-CTR-001255", "SRG-APP-000503-CTR-001275"], "stigid": ["UBTU-22-654225"], "stigref": ["SV-260647r991575_rule"]}, "control_references": {"stigid": ["UBTU-22-654225"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/etc/sudoers.d/\" with the following command:\n\n$ sudo auditctl -l | grep /etc/sudoers.d/\n\n-w /etc/sudoers.d/ -p wa -k actions", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that <tt>\"/etc/sudoers.d/\"</tt>.\nAdd or update the following file system rule to <tt>\"/etc/audit/rules.d/audit.rules\"</tt>:\n-w /etc/sudoers.d/ -p wa -k identity\n\nThe audit daemon must be restarted for the changes to take effect. ", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.", "vuldiscussion": "The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk.", "checktext": "Verify Ubuntu 22.04 generates audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/sudoers.d/\" with the following command:\n\n$ sudo auditctl -l | grep /etc/sudoers.d\n\n-a always,exit -F arch=b32 -F path=/etc/sudoers.d/ -F perm=wa -F key=identity\n-a always,exit -F arch=b64 -F path=/etc/sudoers.d/ -F perm=wa -F key=identity\n\nIf the command does not return a line, or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/sudoers.d/\".\n\nAdd or update the following file system rule to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -F path=/etc/sudoers.d/ -F perm=wa -F key=identity\n-a always,exit -F arch=b64 -F path=/etc/sudoers.d/ -F perm=wa -F key=identity\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/etc/sudoers.d/", "key": "actions"}, "backends": {}}}