Enable Auditing for Processes Which Start Prior to the Audit Daemon
An XCCDF Rule
Description
To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1
to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain audit=1 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
Rationale
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd
takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
- ID
- xccdf_org.ssgproject.content_rule_grub2_audit_argument
- Severity
- Low
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "audit=1"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.3.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
grubby --update-kernel=ALL --args=audit=1
else