1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
documentation_complete: true
title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
included in its options.<br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken.
severity: medium
identifiers:
cce@rhel8: CCE-83341-8
cce@rhel9: CCE-84099-1
cce@rhel10: CCE-89871-8
references:
ospp: FAU_STG.1,FAU_STG.3
ocil_clause: 'audit backlog limit is not configured'
ocil: |-
To check that all boot entries extend the backlog limit;
Check that all boot entries extend the log events queue:
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
platform: machine
template:
name: zipl_bls_entries_option
vars:
arg_name: audit_backlog_limit
arg_value: '8192'
|
