Check: RHEL-09-654270
RHEL 9 STIG:
RHEL-09-654270
(in versions v1 r3 through v1 r1)
Title
RHEL 9 audit system must protect logon UIDs from unauthorized change. (Cat II impact)
Discussion
If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible. Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Check Content
Verify the audit system prevents unauthorized changes to logon UIDs with the following command: $ sudo grep -i immutable /etc/audit/audit.rules --loginuid-immutable If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.
Fix Text
Configure RHEL 9 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules: --loginuid-immutable The audit daemon must be restarted for the changes to take effect.
Additional Identifiers
Rule ID: SV-258228r926671_rule
Vulnerability ID: V-258228
Group Title: SRG-OS-000462-GPOS-00206
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
The information system protects audit information from unauthorized access. |
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |