Page 1 of 1

Startup audit rule

Posted: 2019/10/24 08:21:42
by gjlendrino
Dear all, I need to audit CentOS 7.7 platform statup. I have seen a lot of information related to audit shutdown or reboot using auditctl, but anything related to startup, ┬┐could you give a hand with this issue?
Thanks in advance

Re: Startup audit rule

Posted: 2019/10/24 19:34:23
by aks
How much of start-up? Audit can not audit before it starts!

Re: Startup audit rule

Posted: 2019/10/27 01:38:57
by gjlendrino
I have a requirement that says:
"Audit machine startup and machine shutdown"

I know how to audit shutdown command execution and reboot command execution.
Even I know that booting with "audit=1" on the kernel make sure auditing is enabled on all auditible processes (including the processes launched prior to the audit process itself).

But I don't know how to audit machine startup :(

Re: Startup audit rule

Posted: 2019/10/27 18:19:12
by aks
AFAIK you can't - you need some software on the local machine to generate the records - whether it's a client or a server is irrelevant. Software can simply not do anything before it is running.

These (often really stupid) "security requirements" documents (especially the line you mention) just means "start auditing as soon as possible". Switch on auditing = <insert heavy check mark>. But hey, don't take my word for it, ask the author what they mean.