{"description": "Configure kernel to prevent modification of login UIDs once they are set.\nChanging login UIDs while this configuration is enforced requires special capabilities which\nare not available to unprivileged users.\nIf the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt> in order to make login UIDs\nimmutable:\n<pre>--loginuid-immutable</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file in order to make login UIDs\nimmutable:\n<pre>--loginuid-immutable</pre>", "rationale": "If modification of login UIDs is not prevented, they can be changed by unprivileged users and\nmake auditing complicated or impossible.", "severity": "medium", "references": {"srg": ["SRG-OS-000462-GPOS-00206", "SRG-OS-000475-GPOS-00220", "SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the system is not configured to make login UIDs immutable", "ocil": "To determine if the system is configured to make login UIDs immutable, run\none of the following commands.\nIf the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), run the following:\n<pre>sudo grep immutable /etc/audit/rules.d/*.rules</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, run the following command:\n<pre>sudo grep immutable /etc/audit/audit.rules</pre>\nThe following line should be returned:\n<pre>--loginuid-immutable</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 audit system must protect logon UIDs from unauthorized change.", "fixtext": "Configure Ubuntu 22.04 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules:\n\n--loginuid-immutable\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "Verify the audit system prevents unauthorized changes to logon UIDs with the following command:\n\n$ sudo grep -i immutable /etc/audit/audit.rules\n\n--loginuid-immutable\n\nIf the \"--loginuid-immutable\" option is not returned in the \"/etc/audit/audit.rules\", or the line is commented out, this is a finding.", "vuldiscussion": "If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Configure immutable Audit login UIDs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml", "template": null}