From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: PCI System level object
Date: Mon, 13 Jan 2020 17:05:35 -0500
Message-ID: <2470485.v1Se5RCo8b@x2>
References: <5F4EE10832231F4F921A255C1D954298261DA3@DEERLM99EX7MSX.ww931.my-it-solutions.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5F4EE10832231F4F921A255C1D954298261DA3@DEERLM99EX7MSX.ww931.my-it-solutions.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "MAUPERTUIS, PHILIPPE" <philippe.maupertuis@equensworldline.com>
List-Id: linux-audit@redhat.com

On Monday, January 13, 2020 12:46:15 PM EST MAUPERTUIS, PHILIPPE wrote:
> Redhat is providing audit rules sample for PCI DSS.
> For the requirement 10.2.7 it is written :
> ## 10.2.7 Creation and deletion of system-level objects
> ## This requirement seems to be database table related and not audit
> 
> However the PCI glossary defines system level objects as :
> System-level object:
> Anything on a system component that is required for its operation,
> including but not limited to database tables, stored procedures,
> application executables and configuration files, system configuration
> files, static and shared libraries and DLLs, system executables, device
> drivers and device configuration files,and third-party components. 

This seems a lot like overkill.

> It seems It should be covered by the FIM solution and not by audit.

There is the aide program which can certainly tell you what's changed. But I 
wouldn't exactly call it an audit because it doesn't tell you when something 
changed or who did it.

If you had to meet this, then you might want to use:
30-ospp-v42-1-create-success.rules
30-ospp-v42-4-delete-success.rules

That should limit things to creation and deletion but not access or 
modification which don't seem to be called out. Expect a dnf update to flood 
the system with audit events.

> However loading and unloading kernel modules  should probably be covered by
> auditd. Could you tell me which events are generated in that case ?

The rules are in 43-module-load.rules and they create a syscall event with a 
KERN_MODULE record.

> Are there any others events that should consider for this requirement

It depends on your definition of system level objects. Some define it to also 
include sockets, shared memory, disk partitions (mounts), IPC, USB devices, 
etc. I think a more narrow interpretation is better.

-Steve