4.1.4 Ensure auditing for processes that start prior to auditd is enabled

Information

Configure grub so that processes that are capable of being audited can be audited even if
they start up prior to auditd startup.

Rationale:

Audit events need to be captured on processes that start up prior to auditd , so that
potential malicious activity cannot go undetected.

Solution

For grub2 based systems edit /etc/default/grub and add audit=1 to
GRUB_CMDLINE_LINUX:

GRUB_CMDLINE_LINUX="audit=1"

Run the following command to update the grub2 configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

or

# update-grub

For grub based systems edit /boot/grub/menu.lst to include audit=1 on all kernel lines.

Notes:

This recommendation is designed around the grub bootloader, if LILO or another
bootloader is in use in your environment enact equivalent settings.

Replace /boot/grub2/grub.cfg, /boot/grub/grun.cfg, /boot/grub/menu.lst with the
appropriate grub configuration file for your environment.

See Also

https://workbench.cisecurity.org/files/2420