RHEL 9 audit system must protect logon UIDs from unauthorized change.

An XCCDF Rule

Details
Profiles

Description

If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible. Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

ID: SV-258228r991572_rule
Version: RHEL-09-654270
Severity: Medium
References: CCI-000162 CCI-000163 CCI-000164 CCI-000172
Updated: about 2 months ago

Remediation Templates

Configure RHEL 9 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules:

--loginuid-immutable

The audit daemon must be restarted for the changes to take effect.

RHEL 9 audit system must protect logon UIDs from unauthorized change.

Description

Remediation Templates

A Manual Procedure