File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (64 lines) | stat: -rw-r--r-- 2,649 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
documentation_complete: true


title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'

description: |-
    To ensure all processes can be audited, even those which start
    prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
    GRUB 2 command line for the Linux operating system.
    {{{ describe_grub2_argument("audit=1") | indent(4) }}}

rationale: |-
    Each process on the system carries an "auditable" flag which indicates whether
    its activities can be audited. Although <tt>auditd</tt> takes care of enabling
    this for all processes which launch after it does, adding the kernel argument
    ensures it is set for every process during boot.

severity: low

identifiers:
    cce@rhel8: CCE-80825-3
    cce@rhel9: CCE-83651-0
    cce@rhel10: CCE-88376-9
    cce@sle12: CCE-91553-8
    cce@sle15: CCE-85832-4
    cce@slmicro5: CCE-93871-2

references:
    cis-csc: 1,11,12,13,14,15,16,19,3,4,5,6,7,8
    cis@sle12: 4.1.1.3
    cis@sle15: 4.1.1.3
    cjis: 5.4.1.1
    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.02,DSS05.03,DSS05.04,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
    cui: 3.3.1
    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b)
    isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
    isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 7.1,SR 7.6'
    iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
    nist: AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1)
    nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
    ospp: FAU_GEN.1
    pcidss: Req-10.3
    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000254-GPOS-00095
    stigid@ol8: OL08-00-030601

ocil_clause: 'auditing is not enabled at boot time'

ocil: |-
    {{{ ocil_grub2_argument("audit=1") | indent(4) }}}


platform: grub2

template:
    name: grub2_bootloader_argument
    vars:
        arg_name: audit
        arg_value: '1'

fixtext: |-
    {{{ describe_grub2_argument("audit=1") | indent(4) }}}

srg_requirement: |-
    {{{ full_name }}} must enable auditing of processes that start prior to the audit daemon.