8.1.3 Enable Auditing for Processes That Start Prior to auditd

Information

Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.

Solution

Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX- GRUB_CMDLINE_LINUX='audit=1' And run the following command to update the grub configuration- # update-grub

See Also

https://workbench.cisecurity.org/files/85

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 5f1c0944add157117403d785f61fb69c6f63449f5db2263ff2e33a01c10d606b