From cd4f420e9b5672697d1061f2d840a70a4795ecd1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 5 Dec 2024 11:13:49 +0100
Subject: [PATCH 1/2] audit_immutable_login_uids: remove stig-specific content

this removes also partially invalid reference to Audit rules directory
---
 .../policy/stig/shared.yml                    | 23 -------------------
 .../audit_immutable_login_uids/rule.yml       | 10 --------
 2 files changed, 33 deletions(-)
 delete mode 100644 linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/policy/stig/shared.yml

diff --git a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/policy/stig/shared.yml b/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/policy/stig/shared.yml
deleted file mode 100644
index bb9d2d5ee1e..00000000000
--- a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/policy/stig/shared.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-srg_requirement: |-
-    {{{ full_name }}} audit system must protect logon UIDs from unauthorized change.
-
-vuldiscussion: |-
-    If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.
-
-checktext: |-
-    Verify the audit system prevents unauthorized changes to logon UIDs with the following command:
-
-    $ sudo grep -i immutable /etc/audit/audit.rules
-
-    --loginuid-immutable
-
-    If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.
-
-fixtext: |-
-    Configure {{{ full_name }}} auditing to prevent modification of login UIDs once they are set by adding the following line to /etc/audit/rules.d/audit.rules:
-
-
-    --loginuid-immutable
-
-
-    The audit daemon must be restarted for the changes to take effect.
diff --git a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index fc00b38d325..278c50b0cc9 100644
--- a/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -58,17 +58,7 @@ fixtext: |-
 
     <pre>--loginuid-immutable</pre>
 
-    If the file doesn't exist, it can be copied from <tt>/usr/share/audit/sample-rules</tt>
-    using the next command
-
-    <pre>
-    cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/
-    </pre>
-
     Then, run the following commands:
 
     $ sudo chmod o-rwx "/etc/audit/rules.d/11-loginuid.rules"
     $ sudo augenrules --load
-
-srg_requirement: |-
-    {{{ full_name }}} audit system must protect logon UIDs from unauthorized change.

From 9ce6379dd9c3e64a82654c60c1d0938f71d9b129 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 9 Dec 2024 10:41:34 +0100
Subject: [PATCH 2/2] remove the rule also from srg_gpos control files

---
 controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml | 1 -
 controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml | 1 -
 controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml | 1 -
 controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml | 1 -
 4 files changed, 4 deletions(-)

diff --git a/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml b/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml
index a148f4d1c7e..8499ea48eb5 100644
--- a/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml
+++ b/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml
@@ -11,5 +11,4 @@ controls:
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit
-            - audit_immutable_login_uids
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml b/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml
index 7e56605f87d..e04aa90b331 100644
--- a/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml
+++ b/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml
@@ -10,5 +10,4 @@ controls:
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit
-            - audit_immutable_login_uids
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml b/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml
index 64cf0f62c0e..3273078e9c2 100644
--- a/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml
+++ b/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml
@@ -11,5 +11,4 @@ controls:
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit
-            - audit_immutable_login_uids
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml b/controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml
index 9c31dbe0ef3..38c04149375 100644
--- a/controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml
+++ b/controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml
@@ -69,5 +69,4 @@ controls:
             - audit_rules_usergroup_modification_passwd
             - audit_rules_usergroup_modification_shadow
             - grub2_audit_argument
-            - audit_immutable_login_uids
         status: automated