0038-sudoers-priv-sudoers File Permissions Change Detection
Rule ID
Category
Severity
Compatible Versions
Description
- Monitor whether the permissions of the host file
/etc/sudoers have been modified.
Scan Frequency
Theoretical Basis
- The host file
/etc/sudoers allows specific users to execute a wide variety of commands with root privileges without needing the root password.
Risk Items
Audit Method
- Run the following command and verify that Uid and Gid are both 0/root, and Access does not grant permissions to groups or others:
stat /etc/sudoers
Access: (0440/-r--r-----) Uid: ( 0/root) Gid: ( 0/root)
- If it is detected that the permissions of the
/etc/sudoers file have changed, log in to the server as the root user to restore the permissions and audit this change.
Impact
Default Value
References
CIS Controls