AlmaLinux OS 9 audit system must protect logon UIDs from unauthorized change.

STIG ID: ALMA-09-056780  |  SRG: SRG-OS-000058-GPOS-00028 |  Severity: medium |  CCI: CCI-000163 |  Vulnerability Id: V-269544

Vulnerability Discussion

If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.

Check

Verify the audit system prevents unauthorized changes to logon UIDs with the following command:

$ grep immutable /etc/audit/audit.rules

--loginuid-immutable

If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.

Fix

Configure AlmaLinux OS 9 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules:

--loginuid-immutable
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.