5.2.1.3 Ensure audit_backlog_limit is sufficient

Information

The audit_backlog_limit parameter determines how auditd records can be held in the auditd backlog. The default setting of 64 may be insufficient to store all audit events during boot.

During boot if audit=1 then the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.

Solution

Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX:

# grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>'

Example:

# grubby --update-kernel ALL --args 'audit_backlog_limit=8192'

Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to the GRUB_CMDLINE_LINUX= line between the opening and closing double quotes:

Example:

GRUB_CMDLINE_LINUX="quiet audit_backlog_limit=8192"

Note: Other parameters may also be listed

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: 0dd921cd860ee46fde0d33c0ded6cd94818dd955e81909d7b4240fb63085b249