xccdf_org.ssgproject.content_rule_audit_backlog_limit resets backlog limit even if set to valid value

[abertolli]

Description of problem:

On RHEL 9, we set audit_backlog_limit=32768. However, when running xccdf_org.ssgproject.content_rule_audit_backlog_limit it fails and remediation resets this back to audit_backlog_limit=8192. The logic behind the rule seems to indicate that any value higher than 8192 should satisfy the check.

SCAP Security Guide Version:

scap-security-guide-0.1.77-3.el9.noarch

Operating System Version:

Red Hat Enterprise Linux release 9.6 (Plow)

Steps to Reproduce:

1. Set kernel args to audit_backlog_limit=32768, in /etc/default/grub, grubby, and /boot/grub2/grub.cfg

#!/bin/bash

[ $(id -u) -ne 0 ] && echo "You need to be root" && exit 1

arg="$1"
[ -z "$arg" ] && echo "$(basename $0) ARG=VALUE" && exit 1
key="${arg%%=*}"

# Update /etc/default/grub
if ! grep -wq "$arg" /etc/default/grub
then
	cp /etc/default/grub /etc/default/grub.bk
	if grep -q "GRUB_CMDLINE_LINUX=.*${key}=" /etc/default/grub
	then
		sed -i -e "s/\(GRUB_CMDLINE_LINUX=\".*\)${key}=[^ ]\+\(.*\"\)/\1$arg\2/" /etc/default/grub
	else
		sed -i -e "s/\(GRUB_CMDLINE_LINUX=\".*\)\"/\1 $arg\"/" /etc/default/grub
	fi
fi

# Apply to all installed kernels via grubby
if ! grubby --info=ALL | grep -qw "$arg"
then
	grubby --update-kernel=ALL --args="$arg"
fi

grub_cfg="/boot/grub2/grub.cfg"
if ! grep -qw "$arg" "$grub_cfg" 2>/dev/null
then
	grub2-mkconfig -o "$grub_cfg"
fi

2. Check these are set correctly, e.g.

• grep 32768 /etc/default/grub
• grubby --info=ALL | grep args
• grep 32768 /boot/grub2/grub.cfg
• (And cat /proc/cmdline after reboot)

3. Run oscap remediation and check for rule xccdf_org.ssgproject.content_rule_audit_backlog_limit using /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml and profile xccdf_org.ssgproject.content_profile_stig

Actual Results:

• Rule result fails, and remediation runs
• /etc/default/grub and grubby show audit_backlog_limit=8192
• /boot/grub2/grub.cfg shows audit_backlog_limit=32768

Expected Results:

• Rule result passes and does not remediate
• /etc/default/grub, grubby, and /boot/grub2/grub.cfg all show audit_backlog_limit=32768

Additional Information/Debugging Steps:

[jan-cerny]

The problem is that the actual check is implemented in a way that it requires that value equals 8192. We need to change the OVAL check to accept also values greater than this.

[abertolli]

Does this OVAL check also govern -b 8192 that gets set in /etc/audit/rules.d/audit.rules ? I haven't gotten that far yet, but that would be the other location which would be related to this one. That is a different rule I believe.

According to auditctl documentation, this setting readjusts the backlog limit when auditd gets started. Typically I'd expect most configurations to want these values to be the same.

[jan-cerny]

No, it doesn't, the OVAL check for rule grub2_audit_backlog_limit_argument checks the bootloader configuration, ie. /etc/default/grub and /boot/loader/entries (and for Image Mode RHEL /usr/lib/bootc/kargs.d/). Setting -b 8192 in /etc/audit/rules.d might be caused by rules audit_basic_configuration or audit_rules_for_ospp.