Extend Audit Backlog Limit for the Audit Daemon

An XCCDF Rule

Description

To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain audit_backlog_limit=8192 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192"

Rationale

audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

ID: xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Severity: Low
References: CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001849 CCI-002884

CM-6(a)

FAU_STG.1 FAU_STG.3

SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000254-GPOS-00095 SRG-OS-000341-GPOS-00132 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000471-GPOS-00215

10.7.2
Updated: about 1 year ago