UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Auditing must be enabled at boot by setting a kernel parameter.


Overview

Finding ID Version Rule ID IA Controls Severity
V-209068 OL6-00-000525 SV-209068r505921_rule Low
Description
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
STIG Date
Oracle Linux 6 Security Technical Implementation Guide 2020-09-10

Details

Check Text ( C-9321r357989_chk )
Inspect the kernel boot arguments (which follow the word "kernel") in "/etc/grub.conf". If they include "audit=1", then auditing is enabled at boot time.
If auditing is not enabled at boot time, this is a finding.
Fix Text (F-9321r357990_fix)
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf", in the manner below:

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.