UCF STIG Viewer Logo

The Ubuntu operating system must initiate session audits at system start-up.


Finding ID Version Rule ID IA Controls Severity
V-238299 UBTU-20-010198 SV-238299r654072_rule Medium
If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide 2022-12-06


Check Text ( C-41509r654070_chk )
Verify that the Ubuntu operating system enables auditing at system startup.

Verify that the auditing is enabled in grub with the following command:

$ sudo grep "^\s*linux" /boot/grub/grub.cfg

linux /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1
linux /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro recovery nomodeset audit=1

If any linux lines do not contain "audit=1", this is a finding.
Fix Text (F-41468r654071_fix)
Configure the Ubuntu operating system to produce audit records at system startup.

Edit the "/etc/default/grub" file and add "audit=1" to the "GRUB_CMDLINE_LINUX" option.

To update the grub config file, run:

$ sudo update-grub