RHEL 9 must enable auditing of processes that start prior to the audit daemon.

An XCCDF Rule

Description

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095

ID: SV-257796r1044847_rule
Version: RHEL-09-212055
Severity: Low
References: CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001464 CCI-002884
Updated: about 2 months ago

Remediation Templates

Enable auditing of processes that start prior to the audit daemon with the following command:

$ sudo grubby --update-kernel=ALL --args="audit=1"

Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:

GRUB_CMDLINE_LINUX="audit=1"

RHEL 9 must enable auditing of processes that start prior to the audit daemon.

Description

Remediation Templates

A Manual Procedure