6.4.1.4 Ensure audit_backlog_limit is sufficient

Information

In the kernel-level audit subsystem, a socket buffer queue is used to hold audit events. Whenever a new audit event is received, it is logged and prepared to be added to this queue.

The kernel boot parameter audit_backlog_limit=N with N representing the amount of messages, will ensure that a queue cannot grow beyond a certain size. If an audit event is logged which would grow the queue beyond this limit, then a failure occurs and is handled according to the system configuration

If an audit event is logged which would grow the queue beyond the audit_backlog_limit then a failure occurs, auditd records will be lost, and potential malicious activity could go undetected.

Solution

Edit /etc/default/grub and add audit_backlog_limit=N to GRUB_CMDLINE_LINUX. The recommended size for N is 8192 or larger.

Example:

GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"

Run the following command to update the grub2 configuration:

# update-grub

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: c0de4f532d9af1f02fff4c5a95a28bdd13088bd14a78409a4eb8987626adbc6e