Configure immutable Audit login UIDs

An XCCDF Rule

Description

Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above:

## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable

Load new Audit rules into kernel by running:

augenrules --load

Rationale

If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.

ID: xccdf_org.ssgproject.content_rule_audit_immutable_login_uids
Severity: Medium
References: CCI-000162 CCI-000163 CCI-000164

AU-2(a)

FAU_GEN.1.2

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000462-GPOS-00206 SRG-OS-000475-GPOS-00220

SRG-APP-000121-CTR-000255 SRG-APP-000495-CTR-001235
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable%0A%0A
        mode: 0600
        path: /etc/audit/rules.d/11-loginuid.rules
        overwrite: true

Configure immutable Audit login UIDs

Description

Rationale

Remediation - Kubernetes Patch