Extend Audit Backlog Limit for the Audit Daemon in zIPL
An XCCDF Rule
Description
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in /boot/loader/entries/*.conf
have audit_backlog_limit=8192
included in its options.
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add audit_backlog_limit=8192
to /etc/kernel/cmdline
.
Rationale
audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.
- ID
- xccdf_org.ssgproject.content_rule_zipl_audit_backlog_limit_argument
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Ensure BLS boot entries options contain audit_backlog_limit=8192
block:
- name: 'Check how many boot entries exist '
find:
paths: /boot/loader/entries/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="audit_backlog_limit=8192"