← Rules Catalog
lowauditverified

Configure sufficient audit_backlog_limit in GRUB

auditd-audit-backlog-limit · RHEL ≥ 9 · 1 impl

Description

The audit_backlog_limit kernel parameter must be set to a sufficient size to capture processes that start before the audit daemon.

Rationale

During boot, processes start before the audit daemon is running. Without a sufficient backlog limit, audit events for these early processes may be lost.

Check → Remediate

Checkcommand
# Read the running kernel command line (as the STIG does) rather than the
# persistent grub config, and require the value to be at least 8192 — the
# old exact-match on "8192" over-FAILed a compliant larger value (e.g.
# 16384). Per the STIG check-content the finding fires only when the
# value is PRESENT and < 8192; an absent value is not a finding.
val=$(grep -oE 'audit_backlog_limit=[0-9]+' /proc/cmdline 2>/dev/null | head -1 | cut -d= -f2)
if [ -z "$val" ]; then
  echo "OK: audit_backlog_limit is not set on the kernel command line (not a finding per the STIG check)"
  exit 0
fi
if [ "$val" -ge 8192 ]; then
  echo "OK: audit_backlog_limit=$val (>= 8192)"
  exit 0
fi
echo "FAIL: audit_backlog_limit=$val (must be >= 8192)"
exit 1
expected_exit:
0
Remediatecommand_exec
grubby --update-kernel=ALL --args='audit_backlog_limit=8192'

Framework references

STIG

V-281102 / RHEL-10-500030V-258173

NIST 800-53

AU-12

Live verification

rhel9:check
#audit#grub#boot#configuration