5.2.1.2 Ensure auditing for processes that start prior to auditd is enabled

Information

Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.

Audit events need to be captured on processes that start up prior to auditd so that potential malicious activity cannot go undetected.

Solution

Run the following command to update the grub2 configuration with audit=1 :

# grubby --update-kernel ALL --args 'audit=1'

Edit /etc/default/grub and add audit=1 to the GRUB_CMDLINE_LINUX= line between the opening and closing double quotes:

Example:

GRUB_CMDLINE_LINUX="quiet audit=1"

Note: Other parameters may also be listed

See Also

https://workbench.cisecurity.org/benchmarks/15964