4.1.1.4 Ensure audit_backlog_limit is sufficient

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The backlog limit has a default setting of 64

Rationale:

During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.

Solution

Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX:

# grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>'

Example:

# grubby --update-kernel ALL --args 'audit_backlog_limit=8192'




Additional Information:

NIST SP 800-53 Rev. 5:

AU-2

AU-12

SI-5

See Also

https://workbench.cisecurity.org/files/3807