Does this also work if the audit=1 is set somewhere other than the end of the kernel list? I believe that is where I was seeing it not be caught. Logan Rodrian ________________________________________ From: scap-security-guide [trac@fedorahosted.org] Sent: Friday, April 19, 2013 22:26 Subject: EXT :Re: [scap-security-guide] #174: False positive: enable_auditd_bootloader #174: False positive: enable_auditd_bootloader ------------------------------+------------------------------------- Reporter: Logan.Rodrian@… | Owner: mnewman23 Type: defect | Status: closed Priority: major | Milestone: RHEL6 STIG OVAL Content Component: OVAL content | Version: 0.5.0-InitialDraft Resolution: worksforme | Keywords: Blocked By: | Blocking: ------------------------------+------------------------------------- Changes (by shawndwells): * cc: scap-security-guide@… (added) * status: new => closed * resolution: => worksforme Comment: [root@rhel6 checks]# grep audit=1 /etc/grub.conf (nodda) [root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentCK9K2I.xml Definition oval:scap-security-guide.testing:def:247: false Evaluation done. [root@rhel6 checks]# vim /etc/grub.conf [root@rhel6 checks]# grep audit=1 /etc/grub.conf kernel /vmlinuz-2.6.32-358.2.1.el6.x86_64 ro root=/dev/mapper/vg_rhel6-lv_root rd_LVM_LV=vg_rhel6/lv_root rd_LVM_LV=vg_rhel6/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet audit=1 [root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentafOktZ.xml Definition oval:scap-security-guide.testing:def:247: true Evaluation done. Resolving as worksforme