AlmaLinux OS 9 audit system must protect logon UIDs from unauthorized change.
Overview
Finding ID
Version
Rule ID
IA Controls
Severity
V-269544
ALMA-09-056780
SV-269544r1050427_rule
Medium
Description
If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
Verify the audit system prevents unauthorized changes to logon UIDs with the following command:
$ grep immutable /etc/audit/audit.rules
--loginuid-immutable
If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.
Fix Text (F-73476r1049960_fix)
Configure AlmaLinux OS 9 auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules: