0069-sudo-logfile-sudo Log Not Configured or Deleted¶

Rule ID¶

• 0069-sudo-logfile

Category¶

• system

Level¶

• warn

Compatible Versions¶

• Linux

Description¶

• sudo can use a custom log file to record the commands executed by each user.

  Note: visudo edits the sudoers file in a secure manner similar to vipw (8). visudo locks the sudoers file to prevent multiple simultaneous edits, provides basic integrity checks, and checks for parsing errors. If the current user is editing the sudoers file, you will receive a prompt message to try again later.

Scan Frequency¶

• disable

Theoretical Basis¶

• Used to record commands executed by users

Risk Items¶

• Unable to identify which user executed illegal commands

Audit Method¶

• Verify if sudo has configured a custom log file. Run the following command:

grep -Ei "^\s*Defaults\s+([^#;]+,\s*)?logfile\s*=\s*(")?[^#;]+(")?" /etc/sudoers
or
grep -Ei '^\s*Defaults\s+([^#;]+,\s*)?logfile\s*=\s*(")?[^#;]+(")?' /etc/sudoers.d/*
# It should output the following information. If not, it is recommended to add the sudo.log configuration
logfile ="/var/log/sudo.log"

Remediation¶

• Use visudo or visudo -f to edit the /etc/sudoers file

logfile="/var/log/sudo.log"

Impact¶

• After configuring the sudo log, detailed records of commands executed by users can be reviewed, including execution time, login time, and login points.

Default Value¶

• By default, it is not configured

References¶

• Usage of sudo Command and Log Management (Unofficial)

CIS Controls¶

• Version 7 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.