Skip to content

4.1.1.4 Ensure audit_backlog_limit is sufficient

Audit#

Run the following command and verify the audit_backlog_limit= parameter is set: 

# find /boot -type f -name 'grub.cfg' -exec grep -Ph -- '^\h*linux' {} + | grep -Pv 'audit_backlog_limit=\d+\b'

Nothing should be returned.

Remediation#

Edit /etc/default/grub and add audit_backlog_limit=N to GRUB_CMDLINE_LINUX.

The recommended size for N is 8192 or larger.

Example: 

GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"

Run the following command to update the grub2 configuration: 

# update-grub

Default Value:

If audit_backlog_limit is not set, the system defaults to audit_backlog_limit=64