The Ubuntu operating system must initiate session audits at system start-up.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-238299 | UBTU-20-010198 | SV-238299r1069095_rule | Medium |
| Description |
| If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. |
| STIG | Date |
| Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide | 2025-05-16 |
Details
| Check Text (C-41509r1069093_chk) |
| Verify the Ubuntu operating system enables auditing at system startup. Verify the auditing is enabled in grub with the following command: $ sudo grep "^\s*linux" /boot/grub/grub.cfg linux /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1 linux /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro recovery nomodeset audit=1 If any linux lines do not contain "audit=1", this is a finding. Note: Output may vary by system. |
| Fix Text (F-41468r1069094_fix) |
| Configure the Ubuntu operating system to produce audit records at system startup. Edit the "/etc/default/grub" file and add "audit=1" to the "GRUB_CMDLINE_LINUX" option and to the "GRUB_CMDLINE_LINUX_DEFAULT" option. GRUB_CMDLINE_LINUX_DEFAULT="audit=1" GRUB_CMDLINE_LINUX="audit=1" To update the grub config file, run: $ sudo update-grub |