UCF STIG Viewer Logo

Auditing must be enabled at boot by setting a kernel parameter.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22598 GEN000000-LNX00720 SV-27001r1_rule Low
Description
If auditing is enabled late in the boot process, the actions of startup scripts may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2017-03-01

Details

Check Text ( C-36032r1_chk )
Check for the audit=1 kernel parameter.
# grep 'audit=1' /proc/cmdline
If no results are returned, this is a finding.
Fix Text (F-31278r1_fix)
Edit the grub bootloader file /boot/grub/grub.conf or /boot/grub/menu.lst by appending the "audit=1" parameter to the kernel boot line.
Reboot the system for the change to take effect.