From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: stig.rules example in audit-2.3.7
Date: Mon, 17 Nov 2014 11:56:34 -0500 [thread overview]
Message-ID: <3054664.0RsHgW7jvG@x2> (raw)
In-Reply-To: <CAPubmWW4iYPFjwtnA-EVDgq_4nUv4+GeMaeEPJZcqO4yivvowQ@mail.gmail.com>
On Monday, November 17, 2014 09:30:53 AM Andrew Ruch wrote:
> I was looking through the stig.rules file that is provided with RHEL
> 6.6 and I noticed some differences that I couldn't find in the actual
> STIG. After looking at some of the items, I thought maybe they only
> apply to RHEL 7. Could someone provide some clarification on the
> following:
>
> - removed ftruncate
This is in the section called:
##- Unauthorized access attempts to files (unsuccessful)
Which means we want to catch failed attempts at accessing a file. Ftruncate
takes an fd as a parameter, meaning that open(2) was previously called.
Open(2) is already in the same set of syscall rules. So, if ftruncate is
called with a valid FD, then access was obviously allowed and there is no need
to call it out specifically.
> - added open_by_handle_at
This is a new way of opening files. The syscall is probably not on RHEL6, but
because the stig.rules file is for all systems in general, its included in case
you are on a new kernel. It may be removed on systems that do not have it.
> - added finit_module
Also a new system call.
> - added sections regarding containers
This is not enabled by default. Not all kernels support containers either.
(but as mentioned previously, these rules are generic for all systems.) So, I
would disregard that section for the moment. I will be doing some more
reorganizing of the rules in the near future that will have some base rules
and then some extended rules. This will go into the extended rules.
-Steve
> Thanks,
> Andrew Ruch
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-11-17 16:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-17 16:30 stig.rules example in audit-2.3.7 Andrew Ruch
2014-11-17 16:56 ` Steve Grubb [this message]
2014-11-17 18:41 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3054664.0RsHgW7jvG@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox