3 files changed, 10 insertions, 2 deletions

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 1a37280..2f30e78 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -219,12 +219,16 @@ executing the file is no longer allowed:
     -sh: /usr/bin/rpm: Permission denied
 
 Enabling the audit kernel subsystem may help to debug appraisal
-issues. Enable it by adding the meta-security-framework layer and
+issues. Enable it by adding a kernel configuration fragment and
 changing your local.conf:
     SRC_URI:append:pn-linux-yocto = " file://audit.cfg"
     CORE_IMAGE_EXTRA_INSTALL += "auditd"
 
-Then boot with "ima_appraise=log ima_appraise_tcb".
+Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1".
+For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND
+in your local.conf:
+    QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix"
+    QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1"
 
 Adding auditd is not strictly necessary but helps to capture a
 more complete set of events in /var/log/audit/ and search in
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
index be60bfe..9c599aa 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
@@ -1 +1,3 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/linux:"
+
 require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux/audit.cfg b/meta-integrity/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 0000000..214dbe3
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y