>From acd812439465d062fdf262d72501a3d7b75d6145 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Sat, 25 Feb 2012 15:34:06 -0500
Subject: [PATCH 18/24] Created audit_system_startup_scripts
 - Need to monitor the system startup process, which would be through init

---
 rhel6/src/input/system/auditing.xml |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml
index 887b227..bd6291c 100644
--- a/rhel6/src/input/system/auditing.xml
+++ b/rhel6/src/input/system/auditing.xml
@@ -441,6 +441,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
 <ref nist="AU-2" />
 </Rule>
 
+<Rule id="audit_system_startup_scripts">
+<title>Audit Alterations to System Startup Scripts</title>
+<description>Red Hat Enterprise Linux 6 utilizes the <tt>init</tt> subsystem to boot and start/stop services. To audit the init process add the following lines to <tt>/etc/audit/audit.rules</tt>:
+<br />
+<pre># audit_system_startup_scripts
+-w /etc/sysconfig/init -p wa -k audit_system_startup_scripts
+-w /etc/init/ -p wa -k audit_system_startup_scripts
+-w /etc/inittab -p wa -k audit_system_startup_scripts
+-w /etc/rc.d/init.d/ -p wa -k audit_system_startup_scripts</pre>
+</description>
+<rationale>Alterations to the system boot process should be considered security relevant events, and audited.</rationale>
+<ident cce="TBD" />
+<oval id="TBD" />
+<ref nist="TBD" />
+</Rule>
+
 <Rule id="audit_config_immutable">
 <title>Make the <tt>auditd</tt> Configuration Immutable</title>
 <description>Add the following to the bottom of your <tt>/etc/audit/audit.rules</tt> in order
-- 
1.7.1