5.3.4 Enable Auditing for Processes That Start Prior to auditd
Information
Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. Rationale: Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.
Solution
Run the following: # ed /etc/grub.conf << END g/kernel/s/$/ audit=1/ w q END Default Value: OS Default: N/A