Skip to content

Configure immutable Audit login UIDs

An XCCDF Rule

Description

Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above:

## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable    
Load new Audit rules into kernel by running:
augenrules --load

Rationale

If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.

ID
xccdf_org.ssgproject.content_rule_audit_immutable_login_uids
Severity
Medium
References
Updated



Remediation - Ansible

- name: Put contents into /etc/audit/rules.d/11-loginuid.rules according to policy
  copy:
    dest: /etc/audit/rules.d/11-loginuid.rules
    content: |+
      ## Make the loginuid immutable. This prevents tampering with the auid.
      --loginuid-immutable

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable