Details
Configure grub or lilo so that processes that are capable of being audited can be audited
even if they start up prior to auditd startup.
*Rationale*
Audit events need to be captured on processes that start up prior to auditd, so that
potential malicious activity cannot go undetected.
Solution
Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX-GRUB_CMDLINE_LINUX=’audit=1’And run the following command to update the grub configuration-# update-grub
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.