Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:3 [2017/05/04 15:56] (current)
Line 1: Line 1:
 +======4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 2 - Server
 +Level 2 - Workstation ​
 +</​code>​
  
 +=====Description=====
 +Configure ''​grub''​ so that processes that are capable of being audited can be audited even if they start up prior to ''​auditd''​ startup.
 +
 +=====Rationale=====
 +Audit events need to be captured on processes that start up prior to ''​auditd'',​ so that potential malicious activity cannot go undetected.
 +
 +=====Audit===== ​
 +Run the following command and verify that each linux line has the ''​audit=1''​ parameter set:
 +<​Code:​bash>​
 +# grep "​^\s*linux"​ /​boot/​grub2/​grub.cfg
 +enabled
 +</​Code>​
 +
 +=====Remediation===== ​
 +Edit ''/​etc/​default/​grub''​ and add audit=1 to GRUB_CMDLINE_LINUX:​
 +<​Code:​bash>​
 +GRUB_CMDLINE_LINUX="​audit=1"​
 +</​Code>​
 +Run the following command to update the ''​grub2''​ configuration:​
 +<​Code:​bash>​
 +# grub2-mkconfig > /​boot/​grub2/​grub.cfg
 +</​Code>​
 +
 +=====Notes=====
 +This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.