Extend Audit Backlog Limit for the Audit Daemon

An XCCDF Rule

Description

To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

ID: xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
Severity: Medium
References: CM-6(a)

SRG-OS-000254-GPOS-00095

CCE-82671-9
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
  kernelArguments:
    - audit_backlog_limit=8192

Extend Audit Backlog Limit for the Audit Daemon

Description

Rationale

Remediation - Kubernetes Patch