>From 071768eb83c01c6d52c2e454bf156c7f30e9da9c Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Sat, 25 Feb 2012 16:58:21 -0500
Subject: [PATCH 21/24] Created audit_sysctl_parameters
 Created audit_sysctl_parameters to audit sysctl changes
 Need to create matching cce

---
 rhel6/src/input/system/auditing.xml |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml
index 6a3a1f0..fc618d0 100644
--- a/rhel6/src/input/system/auditing.xml
+++ b/rhel6/src/input/system/auditing.xml
@@ -443,6 +443,19 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
 <ref nist="AU-2" />
 </Rule>
 
+<Rule id="audit_sysctl_parameters">
+<title>Audit Changes to Kernel Parameters</title>
+<description>User definable kernel configuration details are held within the <tt>/etc/sysctl.conf</tt> file. To audit changes to this file, add the following to <tt>/etc/audit/audit.rules</tt>:
+<br />
+<pre># audit_sysctl_parameters 
+-w /etc/sysctl.conf -p wa -k audit_sysctl_parameters</pre>
+</description>
+<rationale></rationale>
+<ident cce="TBD" />
+<oval id="TBD" />
+<ref nist="TBD" />
+</Rule>
+
 <Rule id="audit_system_startup_scripts">
 <title>Audit Alterations to System Startup Scripts</title>
 <description>Red Hat Enterprise Linux 6 utilizes the <tt>init</tt> subsystem to boot and start/stop services. To audit the init process add the following lines to <tt>/etc/audit/audit.rules</tt>:
-- 
1.7.1