Auditing must be enabled at boot by setting a kernel parameter.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22598 | GEN000000-LNX00720 | SV-44759r1_rule | ECSC-1 | Low |
| Description |
|---|
| If auditing is enabled late in the boot process, the actions of startup scripts may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. |
| STIG | Date |
|---|---|
| SUSE Linux Enterprise Server v11 for System z | 2012-12-13 |
Details
| Check Text ( C-42264r1_chk ) |
|---|
| Check for the audit=1 kernel parameter. # grep 'audit=1' /proc/cmdline If no results are returned, this is a finding. |
| Fix Text (F-38209r1_fix) |
|---|
| Edit the zipl boot loader configuration file /etc/zipl.conf and include "audit=1" in the kernel parameters list. Run zipl to update the boot loader configuration: # zipl Reboot the system for the change to take effect. |