4.1.1.3 Ensure audit_backlog_limit is sufficient

Information

The backlog limit has a default setting of 64

During boot if audit=1 then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.

Solution

Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX:

# grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>'

Example:

# grubby --update-kernel ALL --args 'audit_backlog_limit=8192'

See Also

https://workbench.cisecurity.org/files/4239