Enable Auditing for Processes Which Start Prior to the Audit Daemon

An XCCDF Rule

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... audit=1 ..."

Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --args="audit=1"

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

ID: xccdf_org.ssgproject.content_rule_grub2_audit_argument
Severity: Low
References: 1 11 12 13 14 15 16 19 3 4 5 6 7 8

5.4.1.1

APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.02 DSS05.03 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01

3.3.1

CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001464 CCI-002884

164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b)

4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 7.1 SR 7.6

A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2

AC-17(1) AU-10 AU-14(1) CM-6(a) IR-5(1)

DE.AE-3 DE.AE-5 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4

FAU_GEN.1

Req-10.3

SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000254-GPOS-00095 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000473-GPOS-00218

OL08-00-030601

SV-248803r853836_rule

10.7.3
Updated: about 1 year ago

[customizations.kernel]
append = "audit=1"

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-OL08-00-030601  - NIST-800-171-3.3.1
  - NIST-800-53-AC-17(1)
  - NIST-800-53-AU-10
  - NIST-800-53-AU-14(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IR-5(1)
  - PCI-DSS-Req-10.3
  - PCI-DSSv4-10.7.3
  - grub2_audit_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="audit=1"
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-OL08-00-030601
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-17(1)
  - NIST-800-53-AU-10
  - NIST-800-53-AU-14(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IR-5(1)
  - PCI-DSS-Req-10.3
  - PCI-DSSv4-10.7.3
  - grub2_audit_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Shell Script

Remediation - Ansible