From Red Hat Enterprise Linux 6 Security Technical Implementation Guide
Part of SRG-OS-000062
Associated with: CCI-000169
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
Inspect the kernel boot arguments (which follow the word "kernel") in "/boot/grub/grub.conf". If they include "audit=1", then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding. If the system uses UEFI inspect the kernel boot arguments (which follow the word "kernel") in “/boot/efi/EFI/redhat/grub.conf”. If they include "audit=1", then auditing is enabled at boot time.
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/boot/grub/grub.conf" or “/boot/efi/EFI/redhat/grub.conf”, in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer