InformationConfigure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.
Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.
SolutionRun the following command to add audit=1 to GRUB_CMDLINE_LINUX:
# grubby --update-kernel ALL --args 'audit=1'
This recommendation is designed around the grub2 bootloader, if another bootloader is in use in your environment enact equivalent settings.