{"description": "To improve the kernel capacity to queue all log events, even those which occurred\nprior to the audit daemon, add the argument <tt>audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" /></tt> to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that <tt>audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" /></tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" /></tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" /> ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "rationale": "audit_backlog_limit sets the queue length for audit events awaiting transfer\nto the audit daemon. Until the audit daemon is up and running, all log messages\nare stored in this queue.  If the queue is overrun during boot process, the action\ndefined by audit failure flag is taken.", "severity": "low", "references": {"nist": ["CM-6(a)"], "ospp": ["FAU_STG.1", "FAU_STG.3"], "srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000254-GPOS-00095", "SRG-OS-000341-GPOS-00132", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215"], "cis": ["6.3.1.4"], "pcidss4": ["10.7.2", "10.7"]}, "control_references": {"cis": ["6.3.1.4"], "pcidss4": ["10.7.2", "10.7"]}, "components": [], "identifiers": {}, "ocil_clause": "audit backlog limit is not configured", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" /></tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" />.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" />.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" /></tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" />'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "\n\nUpdate the GRUB_CMDLINE_LINUX line in '/etc/default/grub' so that it contains audit_backlog_limit=<sub idref=\"var_audit_backlog_limit\" />.\nRun the following command:\n\n$ sudo update-grub ", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.", "vuldiscussion": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nIf auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nAllocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes.", "checktext": "Verify Ubuntu 22.04 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:\n\n$ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'\n\nIf the command returns any outputs, and audit_backlog_limit is less than \"8192\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:\n\n$ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192"}}, "platform": "grub2", "platforms": ["grub2"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["grub2"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Extend Audit Backlog Limit for the Audit Daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "audit_backlog_limit", "arg_variable": "var_audit_backlog_limit"}, "backends": {}}}