SV-99369r1_rule
V-88719
SRG-OS-000468-GPOS-00212
VROM-SL-001375
CAT II
10
At a minimum, the SLES for vRealize audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file:
-w /etc/sudoers -p wa -k sudoers
OR
# /etc/dodscript.sh
To verify that auditing is configured for system administrator actions, run the following command:
# auditctl -l | grep "watch=/etc/sudoers"
The result should return a rule for sudoers, such as:
LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers
If there is no output, this is a finding.
V-88719
False
VROM-SL-001375
To verify that auditing is configured for system administrator actions, run the following command:
# auditctl -l | grep "watch=/etc/sudoers"
The result should return a rule for sudoers, such as:
LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers
If there is no output, this is a finding.
M
3461