lowauditverified ✓
Configure sufficient audit_backlog_limit in GRUB
auditd-audit-backlog-limit · RHEL ≥ 9 · 1 impl
Description
The audit_backlog_limit kernel parameter must be set to a sufficient size to capture processes that start before the audit daemon.
Rationale
During boot, processes start before the audit daemon is running. Without a sufficient backlog limit, audit events for these early processes may be lost.
Check → Remediate
Checkcommand
# Read the running kernel command line (as the STIG does) rather than the # persistent grub config, and require the value to be at least 8192 — the # old exact-match on "8192" over-FAILed a compliant larger value (e.g. # 16384). Per the STIG check-content the finding fires only when the # value is PRESENT and < 8192; an absent value is not a finding. val=$(grep -oE 'audit_backlog_limit=[0-9]+' /proc/cmdline 2>/dev/null | head -1 | cut -d= -f2) if [ -z "$val" ]; then echo "OK: audit_backlog_limit is not set on the kernel command line (not a finding per the STIG check)" exit 0 fi if [ "$val" -ge 8192 ]; then echo "OK: audit_backlog_limit=$val (>= 8192)" exit 0 fi echo "FAIL: audit_backlog_limit=$val (must be >= 8192)" exit 1
- expected_exit:
- 0
Remediatecommand_exec
grubby --update-kernel=ALL --args='audit_backlog_limit=8192'
Framework references
STIG
V-281102 / RHEL-10-500030V-258173
NIST 800-53
AU-12
Live verification
rhel9:check
#audit#grub#boot#configuration