4.1.1.4 Ensure auditing for processes that start prior to auditd is enabled

Information

Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.

Rationale:

Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.

Solution

Run the following command to add audit=1 to each line starting with kernel in grub.conf

[ -f /boot/efi/EFI/*/grub.conf ] && sed -ri 's/(^s*kernels+.*)$/1 audit=1/g' /boot/efi/EFI/*/grub.conf || sed -ri 's/(^s*kernels+.*)$/1 audit=1/g' /boot/grub/grub.conf

Default Value:

Not set

Additional Information:

Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.

See Also

https://workbench.cisecurity.org/files/3152