This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

Amazon Linux 2023 audit system must protect logon user identifiers (UIDs) from unauthorized change.

STIG ID: AZLX-23-005000  |  SRG: SRG-OS-000462-GPOS-00206 |  Severity: medium (CAT II)  |  CCI: CCI-000172,CCI-000162,CCI-000163,CCI-000164 |  Vulnerability Id: V-274187

Vulnerability Discussion

If modification of login UIDs is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.

Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Check

Verify Amazon Linux 2023 is configured so that the audit system prevents unauthorized changes to login UIDs with the following command:

$ sudo grep -i immutable /etc/audit/audit.rules
--loginuid-immutable

If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.

Fix

Configure Amazon Linux 2023 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules:

--loginuid-immutable

To load the rules to the kernel immediately, use the following command:

$ sudo augenrules --load
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.