AlmaLinux OS 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect the files within /etc/sudoers.d/

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269135	SRG-OS-000004-GPOS-00004	ALMA-09-006070	SV-269135r1050017_rule	2025-02-20	1

Description
Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd policy will watch for and alert the system administrators regarding any modifications to the files within "/etc/sudoers.d/" such as adding privileged users, groups, or commands. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Description

Audit records provide a means to investigate events related to a security incident. Insufficient audit coverage will make identifying those responsible challenging or impossible. This auditd policy will watch for and alert the system administrators regarding any modifications to the files within "/etc/sudoers.d/" such as adding privileged users, groups, or commands. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

ℹ️ Check
Verify AlmaLinux OS 9 generates audit records for all account creations, modifications, disabling, and termination events that affect the files within "/etc/sudoers.d/", with the following command: $ grep /etc/sudoers.d/ /etc/audit/audit.rules -w /etc/sudoers.d/ -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.

ℹ️ Check

Verify AlmaLinux OS 9 generates audit records for all account creations, modifications, disabling, and termination events that affect the files within "/etc/sudoers.d/", with the following command: $ grep /etc/sudoers.d/ /etc/audit/audit.rules -w /etc/sudoers.d/ -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.

✔️ Fix
Configure AlmaLinux OS 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/. Add the following to the "/etc/audit/rules.d/audit.rules" file: -w /etc/sudoers.d/ -p wa -k identity Merge the rules into /etc/audit/audit.rules: $ augenrules --load Reboot the server so the changes to take effect.