Startup audit rule

Support for security such as Firewalls and securing linux
Post Reply
gjlendrino
Posts: 2
Joined: 2019/10/24 07:50:20

Startup audit rule

Post by gjlendrino » 2019/10/24 08:21:42

Dear all, I need to audit CentOS 7.7 platform statup. I have seen a lot of information related to audit shutdown or reboot using auditctl, but anything related to startup, ¿could you give a hand with this issue?
Thanks in advance

aks
Posts: 2844
Joined: 2014/09/20 11:22:14

Re: Startup audit rule

Post by aks » 2019/10/24 19:34:23

How much of start-up? Audit can not audit before it starts!

gjlendrino
Posts: 2
Joined: 2019/10/24 07:50:20

Re: Startup audit rule

Post by gjlendrino » 2019/10/27 01:38:57

I have a requirement that says:
"Audit machine startup and machine shutdown"

I know how to audit shutdown command execution and reboot command execution.
Even I know that booting with "audit=1" on the kernel make sure auditing is enabled on all auditible processes (including the processes launched prior to the audit process itself).

But I don't know how to audit machine startup :(

aks
Posts: 2844
Joined: 2014/09/20 11:22:14

Re: Startup audit rule

Post by aks » 2019/10/27 18:19:12

AFAIK you can't - you need some software on the local machine to generate the records - whether it's a client or a server is irrelevant. Software can simply not do anything before it is running.

These (often really stupid) "security requirements" documents (especially the line you mention) just means "start auditing as soon as possible". Switch on auditing = <insert heavy check mark>. But hey, don't take my word for it, ask the author what they mean.

Post Reply

Return to “CentOS 7 - Security Support”