STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

DISA Rule

SV-230469r627750_rule

Vulnerability Number

V-230469

Group Title

SRG-OS-000341-GPOS-00132

Rule Version

RHEL-08-030602

Severity

CAT III

CCI(s)

• CCI-001849 - The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements.

Weight

10

Fix Recommendation

Configure RHEL 8 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:

$ sudo grubby --update-kernel=ALL --args="audit_backlog_limit=8192"

Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:

GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"

Check Contents

Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:

$ sudo grub2-editenv - list | grep audit

kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82

If the "audit_backlog_limit" entry does not equal "8192", is missing, or the line is commented out, this is a finding.

Check the audit_backlog_limit is set to persist in kernel updates:

$ sudo grep audit /etc/default/grub

GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"

If "audit_backlog_limit" is not set to "8192", is missing or commented out, this is a finding.

Vulnerability Number

V-230469

Documentable

False

Rule Version

RHEL-08-030602

Severity Override Guidance

Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands:

$ sudo grub2-editenv - list | grep audit

kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82

If the "audit_backlog_limit" entry does not equal "8192", is missing, or the line is commented out, this is a finding.

Check the audit_backlog_limit is set to persist in kernel updates:

$ sudo grep audit /etc/default/grub

GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"

If "audit_backlog_limit" is not set to "8192", is missing or commented out, this is a finding.

Check Content Reference

M

Target Key

2921

Comments