From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: RHEL 8 audit rules Date: Wed, 06 Nov 2019 11:49:56 -0500 Message-ID: <11239651.W6AYHMhLza@x2> References: <5F4EE10832231F4F921A255C1D95429819F47E@DEERLM99EX7MSX.ww931.my-it-solutions.net> Mime-Version: 1.0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <5F4EE10832231F4F921A255C1D95429819F47E@DEERLM99EX7MSX.ww931.my-it-solutions.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "MAUPERTUIS, PHILIPPE" List-Id: linux-audit@redhat.com On Wednesday, November 6, 2019 4:39:54 AM EST MAUPERTUIS, PHILIPPE wrote: > The rules proposed in /usr/share/doc/audit/rules/ contain 32 bits stuff. > For example : > ## 10.2.5.b All elevation of privileges is logged > -a always,exit -F arch=3Db64 -S setuid -F a0=3D0 -F exe=3D/usr/bin/su -F > key=3D10.2.5.b-elevated-privs-session -a always,exit -F arch=3Db32 -S set= uid > -F a0=3D0 -F exe=3D/usr/bin/su -F key=3D10.2.5.b-elevated-privs-session >=20 > Is it still necessary for RHEL 8 ? For RHEL8 itself, no. But the 32 bit ABI is available for legacy programs. > Would the 21-no32bit.rules be enough ? If you know for certain that no 32 bit apps will ever be used, then yes. An= d=20 then you can also delete all 32 bit rules to improve performance. This gives me an idea that perhaps the sample rules could be split up into = 32=20 and 64 bit so that we can improve system performance ever so slightly. > Can we run any 32 bits binary on rhel 8 ? Yep. And that also means that a malicious python program can call the 32bit= =20 ABI in an attempt at avoiding detection. -Steve