4.1.3 Ensure auditing for processes that start prior to auditd is enabled

Information

Audit events need to be captured on processes that start up prior to auditd, so that
potential malicious activity cannot go undetected.

Solution

Edit /boot/grub/menu.lst to include audit=1 on all kernel lines.Notes-This recommendation is designed around the grub bootloader, if LILO or another
bootloader is in use in your environment enact equivalent settings.

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|6.2

Plugin: Unix

Control ID: bd0b1e3256f959dd560b839bcf4eca1b6f78dec411626a67a7f5caad6a180fbf