Does this also work if the audit=1 is set somewhere other than the end of the kernel list?  I believe that is where I was seeing it not be caught.

Logan Rodrian


________________________________________
From: scap-security-guide [trac@fedorahosted.org]
Sent: Friday, April 19, 2013 22:26
Subject: EXT :Re: [scap-security-guide] #174: False positive: enable_auditd_bootloader

#174: False positive:  enable_auditd_bootloader
------------------------------+-------------------------------------
  Reporter:  Logan.Rodrian@…  |      Owner:  mnewman23
      Type:  defect           |     Status:  closed
  Priority:  major            |  Milestone:  RHEL6 STIG OVAL Content
 Component:  OVAL content     |    Version:  0.5.0-InitialDraft
Resolution:  worksforme       |   Keywords:
Blocked By:                   |   Blocking:
------------------------------+-------------------------------------
Changes (by shawndwells):

 * cc: scap-security-guide@… (added)
 * status:  new => closed
 * resolution:   => worksforme


Comment:

 [root@rhel6 checks]# grep audit=1 /etc/grub.conf
 (nodda)

 [root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml
 Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentCK9K2I.xml
 Definition oval:scap-security-guide.testing:def:247: false
 Evaluation done.

 [root@rhel6 checks]# vim /etc/grub.conf
 [root@rhel6 checks]# grep audit=1 /etc/grub.conf
         kernel /vmlinuz-2.6.32-358.2.1.el6.x86_64 ro
 root=/dev/mapper/vg_rhel6-lv_root rd_LVM_LV=vg_rhel6/lv_root
 rd_LVM_LV=vg_rhel6/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8
 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto
 rhgb quiet audit=1
 [root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml
 Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentafOktZ.xml
 Definition oval:scap-security-guide.testing:def:247: true
 Evaluation done.

 Resolving as worksforme