Enable Auditing for Processes Which Start Prior to the Audit Daemon

An XCCDF Rule

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... audit=1 ..."

Run the following command to update command line for already installed kernels:

# update-grub

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

ID: xccdf_org.ssgproject.content_rule_grub2_audit_argument
Severity: Low
References: 1 11 12 13 14 15 16 19 3 4 5 6 7 8

5.4.1.1

APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.02 DSS05.03 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01

3.3.1

CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001464 CCI-002884

164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b)

4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.6 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 7.1 SR 7.6

A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2

AC-17(1) AU-10 AU-14(1) CM-6(a) IR-5(1)

DE.AE-3 DE.AE-5 ID.SC-4 PR.AC-3 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4

FAU_GEN.1

Req-10.3

SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000254-GPOS-00095 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215 SRG-OS-000473-GPOS-00218

4.1.1.3

10.7.3
Updated: about 1 year ago

[customizations.kernel]
append = "audit=1"

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an audit= arg already exists       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)audit=[^[:space:]]\+\(.*\"\)/\1audit=1\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no audit=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 audit=1\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"audit=1\"" >> '/etc/default/grub'
fi
update-grub

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Shell Script