Profile Applicability:
Level 2
Description:
In some cases, processes may start before the auditd service is initialized. Ensuring auditing for these processes is enabled allows system administrators to capture important events even if the process starts before the audit subsystem is fully active.
Rationale:
Enabling auditing for early-start processes ensures that all critical system activities, including those occurring before the audit service starts, are logged. This improves overall system monitoring, accountability, and security posture by capturing actions that could otherwise evade audit logging.
Impact:
Pros:
Captures system events that would otherwise be missed.
Helps with forensic investigations and security incident detection from process startups.
Cons:
May slightly increase system overhead by capturing more data.
Default Value:
By default, auditing for processes that start before auditd is activated may not be enabled unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify audit settings.
Test Plan:
Using Linux Command Line:
Check if auditing is set up to capture early-start processes:
grep "audit" /etc/audit/auditd.conf
Verify the audit control status:
sysctl kernel.audit_ctrl
Ensure the
audit_backlog_limitis set to an appropriate value in the configuration.
Implementation Plan:
Using Linux Command Line:
Open the
auditdconfiguration file:
vi /etc/audit/auditd.conf
Ensure the following option is set with a sufficient backlog limit:
audit_backlog_limit = 8192
(Adjust the value based on your system’s needs.)
Reload or restart
auditdto apply the changes:
systemctl restart auditd
Backout Plan:
Using Linux Command Line:
Reopen the configuration file:
vi /etc/audit/auditd.conf
Restore the previous
audit_backlog_limitvalue or remove the line if it was added during implementation.Restart the
auditdservice:
systemctl restart auditd
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Configuration Documentation
NIST SP 800-53 Revision 5 - AU-6