-
Notifications
You must be signed in to change notification settings - Fork 813
Change rhcos4/moderate kernel argument checks to use coreos check #6131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
6 changes: 6 additions & 0 deletions
6
...os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/kubernetes/shared.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos | ||
| apiVersion: machineconfiguration.openshift.io/v1 | ||
| kind: MachineConfig | ||
| spec: | ||
| kernelArguments: | ||
| - audit_backlog_limit=8192 |
44 changes: 44 additions & 0 deletions
44
linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Extend Audit Backlog Limit for the Audit Daemon' | ||
|
|
||
| description: |- | ||
| To improve the kernel capacity to queue all log events, even those which occurred | ||
| prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to all | ||
| BLS (Boot Loader Specification) entries ('options' line) for the Linux | ||
| operating system in <tt>/boot/loader/entries/*.conf</tt>. | ||
|
|
||
| rationale: |- | ||
| audit_backlog_limit sets the queue length for audit events awaiting transfer | ||
| to the audit daemon. Until the audit daemon is up and running, all log messages | ||
| are stored in this queue. If the queue is overrun during boot process, the action | ||
| defined by audit failure flag is taken. | ||
|
|
||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-82671-9 | ||
|
|
||
| references: | ||
| srg: SRG-OS-000254-GPOS-00095 | ||
| nist: CM-6(a) | ||
| cis@rhel8: 4.1.1.4 | ||
|
|
||
| ocil_clause: 'audit backlog limit is not configured' | ||
|
|
||
| ocil: |- | ||
| Inspect the form of all the BLS (Boot Loader Specification) entries | ||
| ('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include | ||
| <tt>audit=1</tt>, then auditing is enabled at boot time. | ||
| <br /><br /> | ||
| To ensure <tt>audit_backlog_limit=8192</tt> is configured on the installed kernel, add | ||
| the kernel argument via a <pre>MachineConfig</pre> object to the appropriate | ||
| pools. | ||
|
|
||
| template: | ||
| name: coreos_kernel_option | ||
| vars: | ||
| arg_name: audit_backlog_limit | ||
| arg_value: '8192' | ||
13 changes: 13 additions & 0 deletions
13
...e/system/auditing/coreos_audit_backlog_limit_kernel_argument/tests/correct_grubby.pass.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| #!/bin/bash | ||
| # platform = Red Hat Enterprise Linux 7 | ||
|
JAORMX marked this conversation as resolved.
Outdated
|
||
|
|
||
| # Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby | ||
| if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then | ||
| # modify the GRUB command-line if an audit_backlog_limit= arg already exists | ||
| sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=8192 \2/' '/etc/default/grub' | ||
| else | ||
| # no audit_backlog_limit=arg is present, append it | ||
| sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=8192"/' '/etc/default/grub' | ||
| fi | ||
|
|
||
| grubby --update-kernel=ALL --args="audit_backlog_limit=8192" | ||
4 changes: 4 additions & 0 deletions
4
.../system/auditing/coreos_audit_backlog_limit_kernel_argument/tests/correct_grubenv.pass.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| #!/bin/bash | ||
|
JAORMX marked this conversation as resolved.
Outdated
|
||
| # platform = Red Hat Enterprise Linux 8 | ||
|
|
||
| grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192" | ||
11 changes: 11 additions & 0 deletions
11
...iting/coreos_audit_backlog_limit_kernel_argument/tests/wrong_value_etcdefaultgrub.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| #!/bin/bash | ||
| # platform = Red Hat Enterprise Linux 7 | ||
|
JAORMX marked this conversation as resolved.
Outdated
|
||
|
|
||
| # Break the audit_backlog_limit argument in kernel command line in /etc/default/grub | ||
| if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then | ||
| # modify the GRUB command-line if an audit_backlog_limit= arg already exists | ||
| sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=123 \2/' '/etc/default/grub' | ||
| else | ||
| # no audit_backlog_limit=arg is present, append it | ||
| sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=123"/' '/etc/default/grub' | ||
| fi | ||
12 changes: 12 additions & 0 deletions
12
...ystem/auditing/coreos_audit_backlog_limit_kernel_argument/tests/wrong_value_rhel8.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| #!/bin/bash | ||
| # platform = Red Hat Enterprise Linux 8 | ||
|
JAORMX marked this conversation as resolved.
Outdated
|
||
|
|
||
| # Break the audit_backlog_limit argument in kernel command line in /boot/grub2/grubenv | ||
| file="/boot/grub2/grubenv" | ||
| if grep -q '^.*audit_backlog_limit=.*' "$file" ; then | ||
| # modify the GRUB command-line if an audit_backlog_limit= arg already exists | ||
| sed -i 's/\(^.*\)audit_backlog_limit=[^[:space:]]*\(.*\)/\1 audit_backlog_limit=123 \2/' "$file" | ||
| else | ||
| # no audit_backlog_limit=arg is present, append it | ||
| sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 audit_backlog_limit=123/' "$file" | ||
| fi | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 6 additions & 0 deletions
6
linux_os/guide/system/bootloader-grub2/coreos_pti_kernel_argument/kubernetes/shared.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos | ||
| apiVersion: machineconfiguration.openshift.io/v1 | ||
| kind: MachineConfig | ||
| spec: | ||
| kernelArguments: | ||
| - pti=on |
42 changes: 42 additions & 0 deletions
42
linux_os/guide/system/bootloader-grub2/coreos_pti_kernel_argument/rule.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Enable Kernel Page-Table Isolation (KPTI)' | ||
|
|
||
| description: |- | ||
| To enable Kernel page-table isolation, add the argument <tt>pti=on</tt> to all | ||
| BLS (Boot Loader Specification) entries ('options' line) for the Linux | ||
| operating system in <tt>/boot/loader/entries/*.conf</tt>. | ||
|
|
||
| rationale: |- | ||
| Kernel page-table isolation is a kernel feature that mitigates | ||
| the Meltdown security vulnerability and hardens the kernel | ||
| against attempts to bypass kernel address space layout | ||
| randomization (KASLR). | ||
|
|
||
| severity: high | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-82497-9 | ||
|
|
||
| references: | ||
| srg: SRG-OS-000433-GPOS-00193 | ||
| nist: SI-16 | ||
|
|
||
| ocil_clause: 'Kernel page-table isolation is not enabled' | ||
|
|
||
| ocil: |- | ||
| Inspect the form of all the BLS (Boot Loader Specification) entries | ||
| ('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include | ||
| <tt>pti=on</tt>, then Kernel page-table isolation is enabled at boot time. | ||
| <br /><br /> | ||
| To ensure <tt>pti=on</tt> is configured on the installed kernel, add | ||
| the kernel argument via a <pre>MachineConfig</pre> object to the appropriate | ||
| pools. | ||
|
|
||
| template: | ||
| name: coreos_kernel_option | ||
| vars: | ||
| arg_name: pti | ||
| arg_value: 'on' |
10 changes: 10 additions & 0 deletions
10
...x_os/guide/system/bootloader-grub2/coreos_pti_kernel_argument/tests/arg_not_there.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/bash | ||
|
|
||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
| # platform = Red Hat Enterprise Linux 8 | ||
|
|
||
| # Removes pti argument from kernel command line in /boot/grub2/grubenv | ||
| file="/boot/grub2/grubenv" | ||
| if grep -q '^.*pti=.*' "$file" ; then | ||
| sed -i 's/\(^.*\)pti=[^[:space:]]*\(.*\)/\1 \2/' "$file" | ||
| fi |
5 changes: 5 additions & 0 deletions
5
linux_os/guide/system/bootloader-grub2/coreos_pti_kernel_argument/tests/correct.pass.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| #!/bin/bash | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
| # platform = Red Hat Enterprise Linux 8 | ||
|
|
||
| grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on" |
13 changes: 13 additions & 0 deletions
13
linux_os/guide/system/bootloader-grub2/coreos_pti_kernel_argument/tests/wrong_value.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| #!/bin/bash | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
| # platform = Red Hat Enterprise Linux 8 | ||
|
|
||
| # Break the pti argument in kernel command line in /boot/grub2/grubenv | ||
| file="/boot/grub2/grubenv" | ||
| if grep -q '^.*pti=.*' "$file" ; then | ||
| # modify the GRUB command-line if an pti= arg already exists | ||
| sed -i 's/\(^.*\)pti=[^[:space:]]*\(.*\)/\1 pti=off \2/' "$file" | ||
| else | ||
| # no pti=arg is present, append it | ||
| sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 pti=off/' "$file" | ||
| fi |
40 changes: 40 additions & 0 deletions
40
linux_os/guide/system/bootloader-grub2/coreos_vsyscall_kernel_argument/rule.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Disable vsyscalls' | ||
|
|
||
| description: |- | ||
| To disable use of virtual syscalls, add the argument <tt>vsyscall=none</tt> to all | ||
| BLS (Boot Loader Specification) entries ('options' line) for the Linux | ||
| operating system in <tt>/boot/loader/entries/*.conf</tt>. | ||
|
|
||
| rationale: |- | ||
| Virtual Syscalls provide an opportunity of attack for a user who has control | ||
| of the return instruction pointer. | ||
|
|
||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-82674-3 | ||
|
|
||
| references: | ||
| srg: SRG-OS-000480-GPOS-00227 | ||
| nist: CM-7(a) | ||
|
|
||
| ocil_clause: 'vsyscalls are enabled' | ||
|
|
||
| ocil: |- | ||
| Inspect the form of all the BLS (Boot Loader Specification) entries | ||
| ('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include | ||
| <tt>vsyscall=none</tt>, then virtual syscalls are not enabled at boot time. | ||
| <br /><br /> | ||
| To ensure <tt>vsyscall=none</tt> is configured on the installed kernel, add | ||
| the kernel argument via a <pre>MachineConfig</pre> object to the appropriate | ||
| pools. | ||
|
|
||
| template: | ||
| name: coreos_kernel_option | ||
| vars: | ||
| arg_name: vsyscall | ||
| arg_value: none |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 6 additions & 0 deletions
6
...rmissions/restrictions/poisoning/coreos_page_poison_kernel_argument/kubernetes/shared.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos | ||
| apiVersion: machineconfiguration.openshift.io/v1 | ||
| kind: MachineConfig | ||
| spec: | ||
| kernelArguments: | ||
| - page_poison=1 |
44 changes: 44 additions & 0 deletions
44
...ide/system/permissions/restrictions/poisoning/coreos_page_poison_kernel_argument/rule.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Enable page allocator poisoning' | ||
|
|
||
| description: |- | ||
| To enable poisoning of free pages, add the argument <tt>page_poison=1</tt> to all | ||
| BLS (Boot Loader Specification) entries ('options' line) for the Linux | ||
| operating system in <tt>/boot/loader/entries/*.conf</tt>. | ||
|
|
||
|
|
||
| rationale: |- | ||
| Poisoning writes an arbitrary value to freed pages, so any modification or | ||
| reference to that page after being freed or before being initialized will be | ||
| detected and prevented. | ||
| This prevents many types of use-after-free vulnerabilities at little performance cost. | ||
| Also prevents leak of data and detection of corrupted memory. | ||
|
|
||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-82673-5 | ||
|
|
||
| references: | ||
| srg: SRG-OS-000480-GPOS-00227 | ||
| nist: CM-6(a) | ||
|
|
||
| ocil_clause: 'page allocator poisoning is not enabled' | ||
|
|
||
| ocil: |- | ||
| Inspect the form of all the BLS (Boot Loader Specification) entries | ||
| ('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include | ||
| <tt>page_poison=1</tt>, then page poisoning is enabled at boot time. | ||
| <br /><br /> | ||
| To ensure <tt>page_poison=1</tt> is configured on the installed kernel, add | ||
| the kernel argument via a <pre>MachineConfig</pre> object to the appropriate | ||
| pools. | ||
|
|
||
| template: | ||
| name: coreos_kernel_option | ||
| vars: | ||
| arg_name: page_poison | ||
| arg_value: '1' |
6 changes: 6 additions & 0 deletions
6
...ermissions/restrictions/poisoning/coreos_slub_debug_kernel_argument/kubernetes/shared.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos | ||
| apiVersion: machineconfiguration.openshift.io/v1 | ||
| kind: MachineConfig | ||
| spec: | ||
| kernelArguments: | ||
| - slub_debug=P |
43 changes: 43 additions & 0 deletions
43
...uide/system/permissions/restrictions/poisoning/coreos_slub_debug_kernel_argument/rule.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Enable SLUB/SLAB allocator poisoning' | ||
|
|
||
| description: |- | ||
| To enable poisoning of SLUB/SLAB objects, add the argument <tt>slub_debug=P</tt> to all | ||
| BLS (Boot Loader Specification) entries ('options' line) for the Linux | ||
| operating system in <tt>/boot/loader/entries/*.conf</tt>. | ||
|
|
||
| rationale: |- | ||
| Poisoning writes an arbitrary value to freed objects, so any modification or | ||
| reference to that object after being freed or before being initialized will be | ||
| detected and prevented. | ||
| This prevents many types of use-after-free vulnerabilities at little performance cost. | ||
| Also prevents leak of data and detection of corrupted memory. | ||
|
|
||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhcos4: CCE-82672-7 | ||
|
|
||
| references: | ||
| srg: SRG-OS-000433-GPOS-00192 | ||
| nist: CM-6(a) | ||
|
|
||
| ocil_clause: 'SLUB/SLAB poisoning is not enabled' | ||
|
|
||
| ocil: |- | ||
| Inspect the form of all the BLS (Boot Loader Specification) entries | ||
| ('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include | ||
| <tt>slub_debug=P</tt>, then SLUB/SLAB poisoning is enabled at boot time. | ||
| <br /><br /> | ||
| To ensure <tt>vsyscall=none</tt> is configured on the installed kernel, add | ||
| the kernel argument via a <pre>MachineConfig</pre> object to the appropriate | ||
| pools. | ||
|
|
||
| template: | ||
| name: coreos_kernel_option | ||
| vars: | ||
| arg_name: slub_debug | ||
| arg_value: P |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the rule talk about enabling audit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pointing out that the admin should inspect the kernel command line for audit=1 seems a bit redundant, because it's not the point of this rule. But the ocil rule is not super important for coreos rules and the backlog parameter is mentioned next, so it's OK.