Check: RHEL-09-654270
RHEL 9 STIG:
RHEL-09-654270
(in versions v2 r3 through v1 r1)
Title
RHEL 9 audit system must protect logon UIDs from unauthorized change. (Cat II impact)
Discussion
If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible. Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Check Content
Verify the audit system prevents unauthorized changes to logon UIDs with the following command: $ sudo grep -i immutable /etc/audit/audit.rules --loginuid-immutable If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.
Fix Text
Configure RHEL 9 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules: --loginuid-immutable The audit daemon must be restarted for the changes to take effect.
Additional Identifiers
Rule ID: SV-258228r991572_rule
Vulnerability ID: V-258228
Group Title: SRG-OS-000462-GPOS-00206
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000163 |
Protect audit information from unauthorized modification. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |