1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
documentation_complete: true
title: 'Extend Audit Backlog Limit for the Audit Daemon'
description: |-
To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
GRUB 2 command line for the Linux operating system.
{{{ describe_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
rationale: |-
audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken.
severity: low
identifiers:
cce@rhel8: CCE-80943-4
cce@rhel9: CCE-83652-8
cce@rhel10: CCE-88192-0
cce@sle12: CCE-92254-2
cce@sle15: CCE-91374-9
cce@slmicro5: CCE-93870-4
references:
cis@sle12: 4.1.2.4
cis@sle15: 4.1.2.4
nist: CM-6(a)
ospp: FAU_STG.1,FAU_STG.3
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000254-GPOS-00095,SRG-OS-000341-GPOS-00132,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
stigid@ol8: OL08-00-030602
ocil_clause: 'audit backlog limit is not configured'
ocil: |-
{{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
fixtext: |-
{{{ fixtext_grub2_bootloader_argument("audit_backlog_limit", "8192") | indent(4) }}}
srg_requirement: '{{{ full_name }}} must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.'
platform: grub2
template:
name: grub2_bootloader_argument
vars:
arg_name: audit_backlog_limit
arg_value: '8192'
|
