Parametrize rule grub2_audit_backlog_limit_argument

jan-cerny · jan-cerny · commit 3afab1fd9bc9 · 2025-10-31T12:58:29.000+01:00
For the purpose of aligning our profiles to RHEL 10 CIS Benchmark version v1.0.1 we need to make the rule grub2_audit_backlog_limit_argument paramatrizable by a variable because they benchmark says it should be set to an appropriate size for your organization. They still recommend 8192 or larger so we will set this a default value. Resolves: https://issues.redhat.com/browse/OPENSCAP-6111
diff --git a/controls/bsi_sys_1_1_rhel9.yml b/controls/bsi_sys_1_1_rhel9.yml
@@ -196,6 +196,7 @@ controls:
       # Section 2 (start / reboot)
           - grub2_audit_argument
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
       # Section 3 (login)
           - audit_rules_session_events
           - audit_rules_login_events_faillock
diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml
@@ -1622,6 +1622,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 5.2.1.4
       title: Ensure auditd service is enabled (Automated)
diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml
@@ -2458,6 +2458,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 6.3.1.4
       title: Ensure auditd service is enabled and active (Automated)
diff --git a/controls/cis_debian12.yml b/controls/cis_debian12.yml
@@ -2515,6 +2515,7 @@ controls:
           - l2_workstation
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
           - zipl_audit_backlog_limit_argument
       status: automated
 
diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml
@@ -2624,6 +2624,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 6.3.1.4
       title: Ensure auditd service is enabled and active (Automated)
diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -2560,6 +2560,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 6.3.1.4
       title: Ensure auditd service is enabled and active (Automated)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -2356,6 +2356,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 5.2.1.4
       title: Ensure auditd service is enabled (Automated)
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -2508,6 +2508,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 6.3.1.4
       title: Ensure auditd service is enabled and active (Automated)
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
@@ -1143,6 +1143,7 @@ controls:
           Note that currently the value is hardcoded to 8192
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 4.1.3
       title: Ensure events that modify date and time information are collected (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
@@ -1325,6 +1325,7 @@ controls:
           Note, that currently the value is hardcoded to 8192
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 4.1.3
       title: Ensure events that modify date and time information are collected (Automated)
diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml
@@ -2385,6 +2385,7 @@ controls:
           - l2_workstation
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
           - zipl_audit_backlog_limit_argument
       status: automated
 
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -2536,6 +2536,7 @@ controls:
           - l2_workstation
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
           - zipl_audit_backlog_limit_argument
       status: automated
 
diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml
@@ -127,6 +127,7 @@ controls:
           - service_auditd_enabled
           - grub2_audit_argument
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
           - auditd_data_retention_max_log_file
           - var_auditd_max_log_file=6
           - auditd_data_retention_max_log_file_action
diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml
@@ -2131,6 +2131,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: SLES-15-750450060
       title: Enable auditd Service
diff --git a/controls/ospp.yml b/controls/ospp.yml
@@ -110,6 +110,7 @@ controls:
           - base
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
           - zipl_audit_backlog_limit_argument
       status: automated
     - id: FCS_CKM.1
diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -3093,6 +3093,7 @@ controls:
             rules:
                 - grub2_audit_argument
                 - grub2_audit_backlog_limit_argument
+                - var_audit_backlog_limit=8192
 
           - id: 10.7.3
             title: Failures of any critical security controls systems are responded to restore security
diff --git a/controls/srg_gpos/SRG-OS-000254-GPOS-00095.yml b/controls/srg_gpos/SRG-OS-000254-GPOS-00095.yml
@@ -6,6 +6,7 @@ controls:
         rules:
             - grub2_audit_argument
             - grub2_audit_backlog_limit_argument
+            - var_audit_backlog_limit=8192
             - service_auditd_enabled
             - package_audit_installed
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml b/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml
@@ -7,6 +7,7 @@ controls:
             - low
         rules:
             - grub2_audit_backlog_limit_argument
+            - var_audit_backlog_limit=8192
             - partition_for_var_log_audit
             - auditd_audispd_configure_sufficiently_large_partition
         status: automated
diff --git a/controls/std_openeuler2203.yml b/controls/std_openeuler2203.yml
@@ -1580,6 +1580,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
           - grub2_audit_backlog_limit_argument.severity=low
 
     - id: 4.1.10
diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml
@@ -629,6 +629,7 @@ controls:
       status: automated
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
 
     - id: 4.1.5
       title: Ensure audit rules are immutable
diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml
@@ -3273,6 +3273,7 @@ controls:
           prior to the audit daemon.
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
       status: automated
 
     - id: OL09-00-002405
diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml
@@ -1966,6 +1966,7 @@ controls:
           start prior to the audit daemon.
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
       status: automated
 
     - id: RHEL-08-030603
diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
@@ -3314,6 +3314,7 @@ controls:
           start prior to the audit daemon.
       rules:
           - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
       status: automated
 
     - id: RHEL-09-653125
diff --git a/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -5,9 +5,9 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon'
 
 description: |-
     To improve the kernel capacity to queue all log events, even those which occurred
-    prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
+    prior to the audit daemon, add the argument <tt>audit_backlog_limit={{{ xccdf_value("var_audit_backlog_limit") }}}</tt> to the default
     GRUB 2 command line for the Linux operating system.
-    {{{ describe_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+    {{{ describe_grub2_argument("audit_backlog_limit=" ~ xccdf_value("var_audit_backlog_limit")) | indent(4) }}}
 
 rationale: |-
     audit_backlog_limit sets the queue length for audit events awaiting transfer
@@ -36,10 +36,10 @@ references:
 ocil_clause: 'audit backlog limit is not configured'
 
 ocil: |-
-    {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
+    {{{ ocil_grub2_argument("audit_backlog_limit=" ~ xccdf_value("var_audit_backlog_limit")) | indent(4) }}}
 
 fixtext: |-
-    {{{ fixtext_grub2_bootloader_argument("audit_backlog_limit", "8192") | indent(4) }}}
+    {{{ fixtext_grub2_bootloader_argument("audit_backlog_limit", xccdf_value("var_audit_backlog_limit")) | indent(4) }}}
 
 srg_requirement: '{{{ full_name }}} must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.'
 
@@ -49,4 +49,4 @@ template:
     name: grub2_bootloader_argument
     vars:
         arg_name: audit_backlog_limit
-        arg_value: '8192'
+        arg_variable: var_audit_backlog_limit
diff --git a/linux_os/guide/auditing/var_audit_backlog_limit.var b/linux_os/guide/auditing/var_audit_backlog_limit.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: Audit backlog limit
+
+description: |-
+    Value of the audit_backlog_limit argument in GRUB 2 configuration.
+    The audit_backlog_limit parameter determines how auditd records can
+    be held in the auditd backlog.
+
+type: number
+
+operator: equals
+
+interactive: true
+
+options:
+    default: 8192
+    8192: 8192
diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile
@@ -17,6 +17,7 @@ selections:
     - installed_OS_is_vendor_supported
     - grub2_audit_argument
     - grub2_audit_backlog_limit_argument
+    - var_audit_backlog_limit=8192
     - service_auditd_enabled
     - enable_fips_mode
     - var_system_crypto_policy=fips
diff --git a/products/ol7/profiles/ospp.profile b/products/ol7/profiles/ospp.profile
@@ -104,6 +104,7 @@ selections:
     - package_dracut-fips_installed
     - grub2_audit_argument
     - grub2_audit_backlog_limit_argument
+    - var_audit_backlog_limit=8192
     - grub2_slub_debug_argument
     - grub2_page_poison_argument
     - grub2_vsyscall_argument
diff --git a/products/ol8/profiles/ospp.profile b/products/ol8/profiles/ospp.profile
@@ -126,6 +126,7 @@ selections:
     ## Boot prompt
     - grub2_audit_argument
     - grub2_audit_backlog_limit_argument
+    - var_audit_backlog_limit=8192
     - grub2_slub_debug_argument
     - grub2_page_poison_argument
     - grub2_vsyscall_argument
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
@@ -885,6 +885,7 @@ selections:
 
     # OL08-00-030602
     - grub2_audit_backlog_limit_argument
+    - var_audit_backlog_limit=8192
 
     # OL08-00-030603
     - configure_usbguard_auditbackend
diff --git a/products/ol9/profiles/ospp.profile b/products/ol9/profiles/ospp.profile
@@ -61,6 +61,7 @@ selections:
     ## Boot prompt
     - grub2_audit_argument
     - grub2_audit_backlog_limit_argument
+    - var_audit_backlog_limit=8192
     - grub2_vsyscall_argument
     - grub2_init_on_alloc_argument
     - grub2_page_alloc_shuffle_argument
diff --git a/products/ubuntu2204/profiles/default.profile b/products/ubuntu2204/profiles/default.profile
@@ -373,6 +373,7 @@ selections:
     - group_unique_name
     - grub2_audit_argument
     - grub2_audit_backlog_limit_argument
+    - var_audit_backlog_limit=8192
     - grub2_enable_apparmor
     - grub2_password
     - grub2_uefi_password
diff --git a/products/ubuntu2404/profiles/default.profile b/products/ubuntu2404/profiles/default.profile
@@ -380,6 +380,7 @@ selections:
     - group_unique_name
     - grub2_audit_argument
     - grub2_audit_backlog_limit_argument
+    - var_audit_backlog_limit=8192
     - grub2_enable_apparmor
     - grub2_password
     - grub2_uefi_password
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
@@ -437,6 +437,7 @@ var_accounts_passwords_pam_faillock_dir=run
 var_accounts_passwords_pam_faillock_unlock_time=900
 var_accounts_tmout=15_min
 var_accounts_user_umask=027
+var_audit_backlog_limit=8192
 var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=cis_rhel10
 var_auditd_disk_error_action=cis_rhel10
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -434,6 +434,7 @@ var_accounts_passwords_pam_faillock_dir=run
 var_accounts_passwords_pam_faillock_unlock_time=900
 var_accounts_tmout=15_min
 var_accounts_user_umask=027
+var_audit_backlog_limit=8192
 var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=cis_rhel10
 var_auditd_disk_error_action=cis_rhel10
diff --git a/tests/data/profile_stability/rhel10/ospp.profile b/tests/data/profile_stability/rhel10/ospp.profile
@@ -138,6 +138,7 @@ use_pam_wheel_for_su
 var_accounts_passwords_pam_faillock_deny=3
 var_accounts_passwords_pam_faillock_fail_interval=900
 var_accounts_passwords_pam_faillock_unlock_time=never
+var_audit_backlog_limit=8192
 var_auditd_flush=incremental_async
 var_authselect_profile=local
 var_logind_session_timeout=30_minutes
diff --git a/tests/data/profile_stability/rhel10/pci-dss.profile b/tests/data/profile_stability/rhel10/pci-dss.profile
@@ -256,6 +256,7 @@ var_accounts_password_warn_age_login_defs=7
 var_accounts_passwords_pam_faillock_deny=10
 var_accounts_passwords_pam_faillock_unlock_time=1800
 var_accounts_passwords_pam_tally2_unlock_time=1800
+var_audit_backlog_limit=8192
 var_auditd_admin_space_left_action=single
 var_auditd_name_format=fqd
 var_auditd_space_left=100MB
diff --git a/tests/data/profile_stability/rhel10/stig.profile b/tests/data/profile_stability/rhel10/stig.profile
@@ -521,6 +521,7 @@ var_accounts_passwords_pam_faillock_fail_interval=900
 var_accounts_passwords_pam_faillock_unlock_time=never
 var_accounts_tmout=15_min
 var_accounts_user_umask=077
+var_audit_backlog_limit=8192
 var_audit_failure_mode=panic
 var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=single
diff --git a/tests/data/profile_stability/rhel10/stig_gui.profile b/tests/data/profile_stability/rhel10/stig_gui.profile
@@ -518,6 +518,7 @@ var_accounts_passwords_pam_faillock_fail_interval=900
 var_accounts_passwords_pam_faillock_unlock_time=never
 var_accounts_tmout=15_min
 var_accounts_user_umask=077
+var_audit_backlog_limit=8192
 var_audit_failure_mode=panic
 var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=single
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
@@ -429,6 +429,7 @@ var_accounts_passwords_pam_faillock_dir=run
 var_accounts_passwords_pam_faillock_unlock_time=900
 var_accounts_tmout=15_min
 var_accounts_user_umask=027
+var_audit_backlog_limit=8192
 var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=cis_rhel8
 var_auditd_disk_error_action=cis_rhel8
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -425,6 +425,7 @@ var_accounts_passwords_pam_faillock_dir=run
 var_accounts_passwords_pam_faillock_unlock_time=900
 var_accounts_tmout=15_min
 var_accounts_user_umask=027
+var_audit_backlog_limit=8192
 var_auditd_action_mail_acct=root
 var_auditd_admin_space_left_action=cis_rhel8
 var_auditd_disk_error_action=cis_rhel8
diff --git a/tests/data/profile_stability/rhel8/cui.profile b/tests/data/profile_stability/rhel8/cui.profile
@@ -214,6 +214,7 @@ var_accounts_passwords_pam_faillock_deny=3
 var_accounts_passwords_pam_faillock_fail_interval=900
 var_accounts_passwords_pam_faillock_unlock_time=never
 var_accounts_user_umask=027
+var_audit_backlog_limit=8192
 var_auditd_flush=incremental_async
 var_authselect_profile=minimal
 var_logind_session_timeout=5_minutes
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
@@ -213,6 +213,7 @@ var_accounts_passwords_pam_faillock_deny=3
 var_accounts_passwords_pam_faillock_fail_interval=900
 var_accounts_passwords_pam_faillock_unlock_time=never
 var_accounts_user_umask=027
+var_audit_backlog_limit=8192
 var_auditd_flush=incremental_async
 var_authselect_profile=minimal
 var_logind_session_timeout=5_minutes
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -264,6 +264,7 @@ var_accounts_password_warn_age_login_defs=7
 var_accounts_passwords_pam_faillock_deny=10
 var_accounts_passwords_pam_faillock_unlock_time=1800
 var_accounts_passwords_pam_tally2_unlock_time=1800
+var_audit_backlog_limit=8192
 var_auditd_admin_space_left_action=single
 var_auditd_name_format=fqd
 var_auditd_space_left=100MB
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
@@ -413,6 +413,7 @@ var_accounts_passwords_pam_faillock_deny=3
 var_accounts_passwords_pam_faillock_fail_interval=900
 var_accounts_passwords_pam_faillock_unlock_time=never
 var_accounts_user_umask=077
+var_audit_backlog_limit=8192
 var_auditd_action_mail_acct=root
 var_auditd_disk_error_action=rhel8
 var_auditd_disk_full_action=rhel8
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -411,6 +411,7 @@ var_accounts_passwords_pam_faillock_deny=3
 var_accounts_passwords_pam_faillock_fail_interval=900
 var_accounts_passwords_pam_faillock_unlock_time=never
 var_accounts_user_umask=077
+var_audit_backlog_limit=8192
 var_auditd_action_mail_acct=root
 var_auditd_disk_error_action=rhel8
 var_auditd_disk_full_action=rhel8
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
diff --git a/tests/data/profile_stability/rhel9/cui.profile b/tests/data/profile_stability/rhel9/cui.profile
diff --git a/tests/data/profile_stability/rhel9/ospp.profile b/tests/data/profile_stability/rhel9/ospp.profile
diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile
diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
