{"description": "To improve the kernel capacity to queue all log events, even those which occurred\nprior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to all\nBLS (Boot Loader Specification) entries ('options' line) for the Linux\noperating system in <tt>/boot/loader/entries/*.conf</tt>.", "rationale": "audit_backlog_limit sets the queue length for audit events awaiting transfer\nto the audit daemon. Until the audit daemon is up and running, all log messages\nare stored in this queue.  If the queue is overrun during boot process, the action\ndefined by audit failure flag is taken.", "severity": "medium", "references": {"nist": ["CM-6(a)"], "srg": ["SRG-OS-000254-GPOS-00095", "SRG-APP-000092-CTR-000165"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "audit backlog limit is not configured", "ocil": "Inspect the form of all the BLS (Boot Loader Specification) entries\n('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include\n<tt>audit=1</tt>, then auditing is enabled at boot time.\n<br /><br />\nTo ensure <tt>audit_backlog_limit=8192</tt> is configured on the installed kernel, add\nthe kernel argument via a <pre>MachineConfig</pre> object to the appropriate\npools.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Extend Audit Backlog Limit for the Audit Daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml", "template": {"name": "coreos_kernel_option", "vars": {"arg_name": "audit_backlog_limit", "arg_value": "8192"}, "backends": {}}}