Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:15 [2017/05/04 16:14] (current)
Piotr Kłoczewski created
Line 1: Line 1:
 +====== 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored) ====== 
 +=====Profile Applicability===== ​  
 +<​code>​ 
 +Level 2 - Server  
 +Level 2 - Workstation 
 +</​code>​ 
 +=====Description===== 
 +Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the ''​sudo''​ command to execute privileged commands, it is possible to monitor changes in scope. The file ''/​etc/​sudoers''​ will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "​scope."​ 
 +=====Rationale===== 
 +Changes in the ''/​etc/​sudoers''​ file can indicate that an unauthorized change has been made to scope of system administrator activity. 
 +=====Audit=====  
 +Run the following command and verify output matches: 
 +<​Code:​bash>​ 
 +# grep scope /​etc/​audit/​audit.rules  
 +-w /​etc/​sudoers -p wa -k scope  
 +-w /​etc/​sudoers.d -p wa -k scope 
 +</​Code>​ 
 +=====Remediation=====  
 +Add the following line to the ''/​etc/​audit/​audit.rules''​ file: 
 +<​Code:​bash>​ 
 +-w /​etc/​sudoers -p wa -k scope  
 +-w /​etc/​sudoers.d -p wa -k scope 
 +</​Code>​