STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The audit system must be configured to audit changes to the /etc/sudoers file.

DISA Rule

SV-208909r603263_rule

Vulnerability Number

V-208909

Group Title

SRG-OS-000064

Rule Version

OL6-00-000201

Severity

CAT III

CCI(s)

• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Weight

10

Fix Recommendation

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules":

-w /etc/sudoers -p wa -k actions

Check Contents

To verify that auditing is configured for system administrator actions, run the following command:

$ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules

If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched).

If there is no output, this is a finding.

Vulnerability Number

V-208909

Documentable

False

Rule Version

OL6-00-000201

Severity Override Guidance

To verify that auditing is configured for system administrator actions, run the following command:

$ sudo grep -w "/etc/sudoers" /etc/audit/audit.rules

If the system is configured to watch for changes to its sudoers configuration, a line should be returned (including "-p wa" indicating permissions that are watched).

If there is no output, this is a finding.

Check Content Reference

M

Target Key

2928

Comments