4.1.2.7 Ensure audit_backlog_limit is sufficient

Information

The backlog limit has a default setting of 64

Rationale:

During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.

Solution

Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX:
Example:

GRUB_CMDLINE_LINUX='audit_backlog_limit=8192'

Run the following script to update the grub2 configuration:

#!/usr/bin/env bash

GFCU()
{
grubfile=$(find /boot -type f ( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' ) -exec grep -Pl '^h*(kernelopts=|linux|kernel)' {} ;)
grubdir=$(dirname '$grubfile')
grub2-mkconfig -o '$grubdir/grub.cfg'
}
GFCU

See Also

https://workbench.cisecurity.org/files/3636