To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system.
Configure the default Grub2 kernel command line to contain audit_backlog_limit=8192 as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192"
Rationale
audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2; }; then
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an audit_backlog_limit= arg already exists
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)audit_backlog_limit=[^[:space:]]\+\(.*\"\)/\1audit_backlog_limit=8192\2/" '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
# no audit_backlog_limit=arg is present, append it
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 audit_backlog_limit=8192\"/" '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
echo "GRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\"" >> '/etc/default/grub'
fi
grub2-mkconfig -o /boot/grub2/grub2.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91374-9
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check audit_backlog_limit argument exists
command: grep '^\s*GRUB_CMDLINE_LINUX=.*audit_backlog_limit=' /etc/default/grub
failed_when: false
register: argcheck
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2" in ansible_facts.packages'
tags:
- CCE-91374-9
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check audit_backlog_limit argument exists
command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
failed_when: false
register: linecheck
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2" in ansible_facts.packages'
tags:
- CCE-91374-9
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add audit_backlog_limit argument
ansible.builtin.lineinfile:
line: GRUB_CMDLINE_LINUX="audit_backlog_limit=8192 "
state: present
dest: /etc/default/grub
create: true
mode: '0644'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2" in ansible_facts.packages'
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc != 0
tags:
- CCE-91374-9
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Replace existing audit_backlog_limit argument
replace:
path: /etc/default/grub
regexp: audit_backlog_limit=[a-zA-Z0-9,]+
replace: audit_backlog_limit=8192
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2" in ansible_facts.packages'
- argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
linecheck.rc == 0
tags:
- CCE-91374-9
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Add audit_backlog_limit argument
replace:
path: /etc/default/grub
regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
replace: \1 audit_backlog_limit=8192"
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2" in ansible_facts.packages'
- argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
linecheck.rc == 0
tags:
- CCE-91374-9
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2" in ansible_facts.packages'
tags:
- CCE-91374-9
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy