Skip to content

fix: correct audit_backlog_limit definition in /etc/default/grub#14850

Merged
jan-cerny merged 1 commit into
ComplianceAsCode:masterfrom
kaleal:kleal-fix-audit_backlog_limit-remediation
Jul 3, 2026
Merged

fix: correct audit_backlog_limit definition in /etc/default/grub#14850
jan-cerny merged 1 commit into
ComplianceAsCode:masterfrom
kaleal:kleal-fix-audit_backlog_limit-remediation

Conversation

@kaleal

@kaleal kaleal commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Description:

Current xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument remediation is writing the variable name instead of its value in /etc/default/grub.

root@ubuntu2404:~# oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_cis_level2_server \
    --remediate \
    --rule xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument \
    /vagrant/build/ssg-ubuntu2404-ds.xml
--- Starting Evaluation ---

Title   Extend Audit Backlog Limit for the Audit Daemon
Rule    xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Result  fail


--- Starting Remediation ---

Title   Extend Audit Backlog Limit for the Audit Daemon
Rule    xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
W: oscap: Conversion of the string "$var_audit_backlog_limit" to an integer (64 bits) failed: Invalid argument
W: oscap: Can't compare variable 'oval:ssg-var_audit_backlog_limit:var:1' value = '8192' with collected item entity = '$var_audit_backlog_limit'
W: oscap: Conversion of the string "$var_audit_backlog_limit" to an integer (64 bits) failed: Invalid argument
W: oscap: Can't compare variable 'oval:ssg-var_audit_backlog_limit:var:1' value = '8192' with collected item entity = '$var_audit_backlog_limit'
Result  error

root@ubuntu2404:~# grep "audit_backlog_limit" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash apparmor=1 security=apparmor audit_backlog_limit=$var_audit_backlog_limit"
GRUB_CMDLINE_LINUX=" apparmor=1 security=apparmor audit_backlog_limit=$var_audit_backlog_limit"

Rationale:

The value for audit_backlog_limit must be 8192 instead of $var_audit_backlog_limit.

root@ubuntu2404:~# grep "audit_backlog_limit" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash audit_backlog_limit=8192"
GRUB_CMDLINE_LINUX=" audit_backlog_limit=8192"

Review Hints:

root@ubuntu2404:~# oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_cis_level2_server \
    --remediate \
    --rule xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument \
    /vagrant/build/ssg-ubuntu2404-ds.xml
--- Starting Evaluation ---

Title   Extend Audit Backlog Limit for the Audit Daemon
Rule    xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Result  fail


--- Starting Remediation ---

Title   Extend Audit Backlog Limit for the Audit Daemon
Rule    xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Result  fixed

root@ubuntu2404:~# grep "audit_backlog_limit" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash audit_backlog_limit=8192"
GRUB_CMDLINE_LINUX=" audit_backlog_limit=8192"

root@ubuntu2404:~# oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_cis_level2_server \
    --rule xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument \
    /vagrant/build/ssg-ubuntu2404-ds.xml
--- Starting Evaluation ---

Title   Extend Audit Backlog Limit for the Audit Daemon
Rule    xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Result  pass

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

Hi @kaleal. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jan-cerny jan-cerny added this to the 0.1.82 milestone Jul 3, 2026
@jan-cerny jan-cerny added Ubuntu Ubuntu product related. Bash Bash remediation update. labels Jul 3, 2026

@jan-cerny jan-cerny left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have compared the generated code before and after thsi rpoblem and it seems that now the variables are expended correctly.
The problem doesn't affect RHEL content because that doesn't use this macro and only calls the grub_command macro.

@jan-cerny jan-cerny merged commit 0625d6b into ComplianceAsCode:master Jul 3, 2026
57 of 58 checks passed
@jan-cerny jan-cerny self-assigned this Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Bash Bash remediation update. needs-ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants