Skip to content

4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled

Audit#

Run the following command: 

# find /boot -type f -name 'grub.cfg' -exec grep -Ph -- '^\h*linux' {} + | grep -v 'audit=1'

Nothing should be returned.

Remediation#

Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:

Example: 

GRUB_CMDLINE_LINUX="audit=1"

Run the following command to update the grub2 configuration: 

# update-grub