Level 2 - Server Level 2 - Workstation
Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.
Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.
Run the following command and verify that each linux line has the audit=1 parameter set:
# grep "^\s*linux" /boot/grub/grub.cfg enabled
Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX:
GRUB_CMDLINE_LINUX="audit=1"
Run the following command to update the grub2 configuration:
# update-grub
This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.