Enable Auditing for Processes Which Start Prior to the Audit Daemon
An XCCDF Rule
Description
To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1
to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1
is added as a kernel command line
argument to newly installed kernels, add audit=1
to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub
as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
Rationale
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd
takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
- ID
- xccdf_org.ssgproject.content_rule_grub2_audit_argument
- Severity
- Low
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "audit=1"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83651-0
- CJIS-5.4.1.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
grubby --update-kernel=ALL --args=audit=1
else