{"description": "To ensure all processes can be audited, even those which start prior to the audit daemon,\ncheck that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>\nincluded in its options.<br />\n\nTo ensure that new kernels and boot entries continue to enable audit,\nadd <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.", "rationale": "Each process on the system carries an \"auditable\" flag which indicates whether\nits activities can be audited. Although <tt>auditd</tt> takes care of enabling\nthis for all processes which launch after it does, adding the kernel argument\nensures it is set for every process during boot.", "severity": "medium", "references": {"ospp": ["FAU_GEN.1"], "cis": ["6.3.1.3"]}, "control_references": {"cis": ["6.3.1.3"]}, "components": [], "identifiers": {}, "ocil_clause": "auditing is not enabled at boot time", "ocil": "To check that audit is enabled at boot time, check all boot entries with following command:\n<pre>sudo grep -L \"^options\\s+.*\\baudit=1\\b\" /boot/loader/entries/*.conf</pre>\nNo line should be returned, each line returned is a boot entry that doesn't enable audit.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": ["s390x_arch"], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": ["s390x_arch"], "bash_conditional": null, "fixes": {}, "title": "Enable Auditing to Start Prior to the Audit Daemon in zIPL", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml", "template": {"name": "zipl_bls_entries_option", "vars": {"arg_name": "audit", "arg_value": "1"}, "backends": {}}}