Check: AZLX-23-005000
Amazon Linux 2023 STIG:
AZLX-23-005000
(in version v1 r1)
Title
Amazon Linux 2023 audit system must protect logon user identifiers (UIDs) from unauthorized change. (Cat II impact)
Discussion
If modification of login UIDs is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible. Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Check Content
Verify Amazon Linux 2023 is configured so that the audit system prevents unauthorized changes to login UIDs with the following command: $ sudo grep -i immutable /etc/audit/audit.rules --loginuid-immutable If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.
Fix Text
Configure Amazon Linux 2023 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules: --loginuid-immutable To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
Additional Identifiers
Rule ID: SV-274187r1120715_rule
Vulnerability ID: V-274187
Group Title: SRG-OS-000462-GPOS-00206
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000163 |
Protect audit information from unauthorized modification. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |