Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
Check that the file and directory is being audited by performing the following command:
> sudo auditctl -l | grep -w '/etc/sudoers'
-w /etc/sudoers -p wa -k privileged-actions -w /etc/sudoers.d -p wa -k privileged-actions
If the commands do not return output that match the examples, this is a finding.
Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Fix
Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-w /etc/sudoers -p wa -k privileged-actions
-w /etc/sudoers.d -p wa -k privileged-actions
To reload the rules file, restart the audit daemon