Configure immutable Audit login UIDs

An XCCDF Rule

Description

Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above:

## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable

Load new Audit rules into kernel by running:

augenrules --load

Rationale

If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.

ID: xccdf_org.ssgproject.content_rule_audit_immutable_login_uids
Severity: Medium
References: CCI-000162 CCI-000163 CCI-000164

AU-2(a)

FAU_GEN.1.2

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000462-GPOS-00206 SRG-OS-000475-GPOS-00220

CCE-82828-5

SRG-APP-000121-CTR-000255 SRG-APP-000495-CTR-001235
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable%0A%0A
        mode: 0600
        path: /etc/audit/rules.d/11-loginuid.rules
        overwrite: true

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
EOF

chmod o-rwx /etc/audit/rules.d/11-loginuid.rules

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Put contents into /etc/audit/rules.d/11-loginuid.rules according to policy
  copy:
    dest: /etc/audit/rules.d/11-loginuid.rules
    content: |+
      ## Make the loginuid immutable. This prevents tampering with the auid.
      --loginuid-immutable
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82828-5
  - NIST-800-53-AU-2(a)
  - audit_immutable_login_uids
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remove any permissions from other group
  file:
    path: /etc/audit/rules.d/11-loginuid.rules
    mode: o-rwx
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82828-5
  - NIST-800-53-AU-2(a)
  - audit_immutable_login_uids
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure immutable Audit login UIDs

Description

Rationale

Remediation - Kubernetes Patch

Remediation - Shell Script

Remediation - Ansible