{"description": "To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,\ncheck that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192\nincluded in its options.
\nTo ensure that new kernels and boot entries continue to extend the audit log events queue,\nadd audit_backlog_limit=8192 to /etc/kernel/cmdline.", "rationale": "audit_backlog_limit sets the queue length for audit events awaiting transfer\nto the audit daemon. Until the audit daemon is up and running, all log messages\nare stored in this queue. If the queue is overrun during boot process, the action\ndefined by audit failure flag is taken.", "severity": "medium", "references": {"ospp": ["FAU_STG.1", "FAU_STG.3"], "cis": ["6.3.1.4"]}, "control_references": {"cis": ["6.3.1.4"]}, "components": [], "identifiers": {}, "ocil_clause": "audit backlog limit is not configured", "ocil": "To check that all boot entries extend the backlog limit;\nCheck that all boot entries extend the log events queue:\nsudo grep -L \"^options\\s+.*\\baudit_backlog_limit=8192\\b\" /boot/loader/entries/*.conf
\nNo line should be returned, each line returned is a boot entry that does not extend the log events queue.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": ["s390x_arch"], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": ["s390x_arch"], "bash_conditional": null, "fixes": {}, "title": "Extend Audit Backlog Limit for the Audit Daemon in zIPL", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml", "template": {"name": "zipl_bls_entries_option", "vars": {"arg_name": "audit_backlog_limit", "arg_value": "8192"}, "backends": {}}}