← Rules Catalog
mediumauditverified rollback-safe

Protect audit logon UIDs from unauthorized change

auditd-loginuid-immutable · RHEL ≥ 8 · 1 impl

Description

The audit system must be configured to protect logon UIDs from unauthorized change by setting --loginuid-immutable.

Rationale

The loginuid tracks the original user who logged in, even across su/sudo. Making it immutable prevents attackers from changing their login UID to mask their identity in audit records.

Check → Remediate

Checkcommand
grep -c '\-\-loginuid-immutable' /etc/audit/rules.d/audit.rules
expected_exit:
0
Remediateconfig_append
path:
/etc/audit/rules.d/audit.rules
line:
--loginuid-immutable

Framework references

STIG

V-258228V-230403

NIST 800-53

AU-9AC-6

Live verification

rhel8:checkrhel9:check
#audit#auditd#integrity#configuration