{"description": "Configure kernel to prevent modification of login UIDs once they are set.\nChanging login UIDs while this configuration is enforced requires special capabilities which\nare not available to unprivileged users.\n\nThe following rules configure audit as described above:\n<pre>## Make the loginuid immutable. This prevents tampering with the auid.\n--loginuid-immutable    </pre>\n\nLoad new Audit rules into kernel by running:\n<pre>augenrules --load</pre>", "rationale": "If modification of login UIDs is not prevented, they can be changed by unprivileged users and\nmake auditing complicated or impossible.", "severity": "medium", "references": {"nist": ["AU-2(a)"], "ospp": ["FAU_GEN.1.2"], "srg": ["SRG-OS-000462-GPOS-00206", "SRG-OS-000475-GPOS-00220", "SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029", "SRG-APP-000121-CTR-000255", "SRG-APP-000495-CTR-001235"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the file does not exist or the content differs", "ocil": "To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:\n<pre>$ sudo cat /etc/audit/rules.d/11-loginuid.rules</pre>\nThe output has to be exactly as follows:\n<pre>## Make the loginuid immutable. This prevents tampering with the auid.\n--loginuid-immutable    </pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 kernel to prevent modification of login UIDs once they are set.\n\nMake sure the file \"/etc/audit/rules.d/11-loginuid.rules\" contains the following content:\n\n<pre>--loginuid-immutable</pre>\n\nThen, run the following commands:\n\n$ sudo chmod o-rwx \"/etc/audit/rules.d/11-loginuid.rules\"\n$ sudo augenrules --load", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure immutable Audit login UIDs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/rule.yml", "template": {"name": "audit_file_contents", "vars": {"filepath": "/etc/audit/rules.d/11-loginuid.rules", "contents": "## Make the loginuid immutable. This prevents tampering with the auid.\n--loginuid-immutable\n"}, "backends": {}}}