Add sudoers to some base audit rules

ChangeLog

@@ -5,6 +5,7 @@
 - Upgrade libev to 4.33
 - Add auparse_new_buffer function to auparse library
 - Use the select libev backend unless aggregating events
+- Add sudoers to some base audit rules
 
 3.0
 - Generate checkpoint file even when no results are returned (Burn Alting)

rules/30-ospp-v42.rules

@@ -57,6 +57,10 @@
 
 ## Privilege escalation via su or sudo. This is entirely handled by pam.
 
+## Watch for configuration changes to privilege escalation.
+-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
+-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
+
 ## Audit log access
 -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
 ## Attempts to Alter Process and Session Initiation Information

rules/30-pci-dss-v31.rules

@@ -25,6 +25,10 @@
 ## logging. The pam config below should be placed into su and sudo pam stacks.
 ## session   required pam_tty_audit.so disable=* enable=root
 
+## Watch for configuration changes to privilege escalation.
+-a always,exit -F path=/etc/sudoers -F perm=wa -F key=10.2.2-priv-config-changes
+-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=10.2.2-priv-config-changes
+
 ## 10.2.3 Access to all audit trails.
 -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=10.2.3-access-audit-trail
 -a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=10.2.3-access-audit-trail