mediumauditverified ✓rollback-safe
Protect audit logon UIDs from unauthorized change
auditd-loginuid-immutable · RHEL ≥ 8 · 1 impl
Description
The audit system must be configured to protect logon UIDs from unauthorized change by setting --loginuid-immutable.
Rationale
The loginuid tracks the original user who logged in, even across su/sudo. Making it immutable prevents attackers from changing their login UID to mask their identity in audit records.
Check → Remediate
Checkcommand
grep -c '\-\-loginuid-immutable' /etc/audit/rules.d/audit.rules
- expected_exit:
- 0
Remediateconfig_append
- path:
- /etc/audit/rules.d/audit.rules
- line:
- --loginuid-immutable
Framework references
STIG
V-258228V-230403
NIST 800-53
AU-9AC-6
Live verification
rhel8:checkrhel9:check
#audit#auditd#integrity#configuration