UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Auditing must be enabled at boot by setting a kernel parameter.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38438 RHEL-06-000525 SV-50238r4_rule Low
Description
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2018-11-28

Details

Check Text ( C-45992r4_chk )
Inspect the kernel boot arguments (which follow the word "kernel") in "/boot/grub/grub.conf". If they include "audit=1", then auditing is enabled at boot time.

If auditing is not enabled at boot time, this is a finding.

If the system uses UEFI inspect the kernel boot arguments (which follow the word "kernel") in “/boot/efi/EFI/redhat/grub.conf”. If they include "audit=1", then auditing is enabled at boot time.
Fix Text (F-43382r4_fix)
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf”, in the manner below:

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.