4.1.3 Ensure auditing for processes that start prior to auditd is enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.

Solution

Edit /boot/grub/grub.conf to include audit=1 on all kernel lines.

See Also

https://workbench.cisecurity.org/files/1859

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AU-14(1), 800-53|SI-7(9), CSCv6|6.2

Plugin: Unix

Control ID: 6a115a13b8f20a72c783baae4228b5bcc1084ab7c635461a4c06eab77224ea8f