Detections
Analytics

1.3 UBTU-22-212015

Information

The operating system must initiate session audits at system startup.

GROUP ID: V-260471
RULE ID: SV-260471r1069117

If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.

Solution

Configure the operating system to produce audit records at system startup.

Edit the "/etc/default/grub" file and add "audit=1" to the "GRUB_CMDLINE_LINUX" option and to the "GRUB_CMDLINE_LINUX_DEFAULT" option.

GRUB_CMDLINE_LINUX_DEFAULT="audit=1"
GRUB_CMDLINE_LINUX="audit=1"

To update the grub config file, run:

$ sudo update-grub

See Also

https://workbench.cisecurity.org/benchmarks/22168

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-14(1), CAT|II, CCI|CCI-001464, Rule-ID|SV-260471r1069117_rule, STIG-ID|UBTU-22-212015, Vuln-ID|V-260471

Plugin: Unix

Control ID: 2afb8523d3c7c1f2bd49a4ce6b3ec2cf0358139896c83bacab30e8bf9a36e54b