{"description": "To ensure all processes can be audited, even those which start\nprior to the audit daemon, add the argument <tt>audit=1</tt> to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that <tt>audit=1</tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>audit=1</tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... audit=1 ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "rationale": "Each process on the system carries an \"auditable\" flag which indicates whether\nits activities can be audited. Although <tt>auditd</tt> takes care of enabling\nthis for all processes which launch after it does, adding the kernel argument\nensures it is set for every process during boot.", "severity": "low", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "3", "4", "5", "6", "7", "8"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.3.1"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(5)(ii)(C)", "164.310(a)(2)(iv)", "164.310(d)(2)(iii)", "164.312(b)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AC-17(1)", "AU-14(1)", "AU-10", "CM-6(a)", "IR-5(1)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "ospp": ["FAU_GEN.1"], "pcidss": ["Req-10.3"], "srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-OS-000473-GPOS-00218", "SRG-OS-000254-GPOS-00095"], "cis": ["6.3.1.3"], "pcidss4": ["10.7.2", "10.7"], "stigid": ["UBTU-22-212015"], "stigref": ["SV-260471r991555_rule"]}, "control_references": {"cis": ["6.3.1.3"], "pcidss4": ["10.7.2", "10.7"], "stigid": ["UBTU-22-212015"]}, "components": [], "identifiers": {}, "ocil_clause": "auditing is not enabled at boot time", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>audit=1</tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>audit=1</tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'audit=1'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "To ensure that <tt>audit=1</tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>audit=1</tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... audit=1 ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must enable auditing of processes that start prior to the audit daemon.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enable auditing of processes that start prior to the audit daemon.", "vuldiscussion": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nIf auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.", "checktext": "Verify that GRUB 2 is configured to enable auditing of processes that start prior to the audit daemon with the following commands:\n\nCheck that the current GRUB 2 configuration enables auditing:\n\n$ sudo grubby --info=ALL | grep args | grep -v 'audit=1'\n\nIf any output is returned, this is a finding.\n\nCheck that auditing is enabled by default to persist in kernel updates:\n\n$ grep audit /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"audit=1\"\n\nIf \"audit\" is not set to \"1\", is missing, or is commented out, this is a finding.", "fixtext": "Enable auditing of processes that start prior to the audit daemon with the following command:\n\n$ sudo grubby --update-kernel=ALL --args=\"audit=1\"\n\nAdd or modify the following line in \"/etc/default/grub\" to ensure the configuration survives kernel updates:\n\nGRUB_CMDLINE_LINUX=\"audit=1\""}}, "platform": "grub2", "platforms": ["grub2"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["grub2"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable Auditing for Processes Which Start Prior to the Audit Daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/grub2_audit_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "audit", "arg_value": "1"}, "backends": {}}}