Details

Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.

Solution

Edit /boot/grub/menu.lst to include audit=1 on all kernel lines.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/1864

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

• 800-53|AU-12c.
• CSCv6|6.2

Source

• Tenable.com/audits