Configure immutable Audit login UIDs
An XCCDF Rule
Description
Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above:
## Make the loginuid immutable. This prevents tampering with the auid. --loginuid-immutableLoad new Audit rules into kernel by running:
augenrules --load
Rationale
If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.
- ID
- xccdf_org.ssgproject.content_rule_audit_immutable_login_uids
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Put contents into /etc/audit/rules.d/11-loginuid.rules according to policy
copy:
dest: /etc/audit/rules.d/11-loginuid.rules
content: |+
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable