UCF STIG Viewer Logo

Auditing must be enabled at boot by setting a kernel parameter.


Finding ID Version Rule ID IA Controls Severity
V-38438 RHEL-06-000525 SV-50238r2_rule Low
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2015-05-26


Check Text ( C-45992r2_chk )
Inspect the kernel boot arguments (which follow the word "kernel") in "/etc/grub.conf". If they include "audit=1", then auditing is enabled at boot time.

If auditing is not enabled at boot time, this is a finding.
Fix Text (F-43382r2_fix)
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/etc/grub.conf", in the manner below:

kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1

UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.