Title

Auditing must be enabled at boot by setting a kernel parameter. (Cat III impact)

Discussion

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Check Content

Inspect the kernel boot arguments (which follow the word "kernel") in "/boot/grub/grub.conf". If they include "audit=1", then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding. If the system uses UEFI inspect the kernel boot arguments (which follow the word "kernel") in “/boot/efi/EFI/redhat/grub.conf”. If they include "audit=1", then auditing is enabled at boot time.

Fix Text

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf”, in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.

Additional Identifiers

Rule ID: SV-218103r603264_rule

Vulnerability ID: V-218103

Group Title: SRG-OS-000062

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.