Configure immutable Audit login UIDs

An XCCDF Rule

Description

Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make login UIDs immutable:

--loginuid-immutable

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make login UIDs immutable:

--loginuid-immutable

Rationale

If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.

ID: xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids
Severity: Medium
References: CCI-000162 CCI-000163 CCI-000164

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000462-GPOS-00206 SRG-OS-000475-GPOS-00220

SV-230403r627750_rule
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-08-030122
  - audit_rules_immutable_login_uids  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: 'Configure immutable Audit login UIDs: Determine if rules are loaded by auditctl'
  ansible.builtin.find:
    paths: /usr/lib/systemd/system
    patterns: auditd.service
    contains: ^\s*ExecStartPost=-/sbin/auditctl
  register: auditctl_used
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-08-030122
  - audit_rules_immutable_login_uids
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: 'Configure immutable Audit login UIDs: Configure immutable login UIDs in /etc/audit/audit.rules'
  ansible.builtin.lineinfile:
    path: /etc/audit/audit.rules
    line: --loginuid-immutable
    regexp: ^\s*--loginuid-immutable\s*$
    create: true
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - auditctl_used is defined and auditctl_used.matched >= 1
  tags:
  - DISA-STIG-RHEL-08-030122
  - audit_rules_immutable_login_uids
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: 'Configure immutable Audit login UIDs: In case Augen-rules is used'
  block:

  - name: 'Configure immutable Audit login UIDs: Detect if immutable login UIDs are
      already defined in /etc/audit/rules.d/*.rules'
    ansible.builtin.find:
      paths: /etc/audit/rules.d
      patterns: '*.rules'
      contains: ^\s*--loginuid-immutable\s*$
    register: immutable_found_in_rules_d

  - name: 'Configure immutable Audit login UIDs: set immutable login UIDS in /etc/audit/rules.d/immutable.rules'
    ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/immutable.rules
      line: --loginuid-immutable
      regexp: ^\s*--loginuid-immutable\s*$
      create: true
    when: immutable_found_in_rules_d is defined and immutable_found_in_rules_d.matched
      == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - auditctl_used is defined and auditctl_used.matched == 0
  tags:
  - DISA-STIG-RHEL-08-030122
  - audit_rules_immutable_login_uids
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

# in case auditctl is used
if grep -q '^\s*ExecStartPost=-/sbin/auditctl' /usr/lib/systemd/system/auditd.service; then
  if ! grep -q '^\s*--loginuid-immutable\s*$' /etc/audit/audit.rules; then    echo "--loginuid-immutable" >> /etc/audit/audit.rules
  fi
else
  immutable_found=0
  while IFS= read -r -d '' f; do
    if grep -q '^\s*--loginuid-immutable\s*$' "$f"; then
      immutable_found=1
    fi
  done <    <(find /etc/audit/rules.d -maxdepth 1 -name '*.rules' -print0)
  if [ $immutable_found -eq 0 ]; then
    echo "--loginuid-immutable" >> /etc/audit/rules.d/immutable.rules
  fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure immutable Audit login UIDs

Description

Rationale

Remediation - Ansible

Remediation - Shell Script