* stig.rules example in audit-2.3.7
@ 2014-11-17 16:30 Andrew Ruch
2014-11-17 16:56 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Ruch @ 2014-11-17 16:30 UTC (permalink / raw)
To: linux-audit
Hello,
I was looking through the stig.rules file that is provided with RHEL
6.6 and I noticed some differences that I couldn't find in the actual
STIG. After looking at some of the items, I thought maybe they only
apply to RHEL 7. Could someone provide some clarification on the
following:
- removed ftruncate
- added open_by_handle_at
- added finit_module
- added sections regarding containers
Thanks,
Andrew Ruch
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: stig.rules example in audit-2.3.7
2014-11-17 16:30 stig.rules example in audit-2.3.7 Andrew Ruch
@ 2014-11-17 16:56 ` Steve Grubb
2014-11-17 18:41 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2014-11-17 16:56 UTC (permalink / raw)
To: linux-audit
On Monday, November 17, 2014 09:30:53 AM Andrew Ruch wrote:
> I was looking through the stig.rules file that is provided with RHEL
> 6.6 and I noticed some differences that I couldn't find in the actual
> STIG. After looking at some of the items, I thought maybe they only
> apply to RHEL 7. Could someone provide some clarification on the
> following:
>
> - removed ftruncate
This is in the section called:
##- Unauthorized access attempts to files (unsuccessful)
Which means we want to catch failed attempts at accessing a file. Ftruncate
takes an fd as a parameter, meaning that open(2) was previously called.
Open(2) is already in the same set of syscall rules. So, if ftruncate is
called with a valid FD, then access was obviously allowed and there is no need
to call it out specifically.
> - added open_by_handle_at
This is a new way of opening files. The syscall is probably not on RHEL6, but
because the stig.rules file is for all systems in general, its included in case
you are on a new kernel. It may be removed on systems that do not have it.
> - added finit_module
Also a new system call.
> - added sections regarding containers
This is not enabled by default. Not all kernels support containers either.
(but as mentioned previously, these rules are generic for all systems.) So, I
would disregard that section for the moment. I will be doing some more
reorganizing of the rules in the near future that will have some base rules
and then some extended rules. This will go into the extended rules.
-Steve
> Thanks,
> Andrew Ruch
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: stig.rules example in audit-2.3.7
2014-11-17 16:56 ` Steve Grubb
@ 2014-11-17 18:41 ` Steve Grubb
0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2014-11-17 18:41 UTC (permalink / raw)
To: linux-audit
On Monday, November 17, 2014 11:56:34 AM Steve Grubb wrote:
> On Monday, November 17, 2014 09:30:53 AM Andrew Ruch wrote:
> > I was looking through the stig.rules file that is provided with RHEL
> > 6.6 and I noticed some differences that I couldn't find in the actual
> > STIG. After looking at some of the items, I thought maybe they only
> > apply to RHEL 7. Could someone provide some clarification on the
> > following:
> >
> > - removed ftruncate
>
> This is in the section called:
> ##- Unauthorized access attempts to files (unsuccessful)
>
> Which means we want to catch failed attempts at accessing a file. Ftruncate
> takes an fd as a parameter, meaning that open(2) was previously called.
> Open(2) is already in the same set of syscall rules. So, if ftruncate is
> called with a valid FD, then access was obviously allowed and there is no
> need to call it out specifically.
Hmm...did some looking around...just to make sure. Turns out that if a file is
opened with O_APPEND flags and ftruncate is called on that descriptor, you can
in fact get EPERM. I guess I'll add it back.
-Steve
> > - added open_by_handle_at
>
> This is a new way of opening files. The syscall is probably not on RHEL6,
> but because the stig.rules file is for all systems in general, its included
> in case you are on a new kernel. It may be removed on systems that do not
> have it.
> > - added finit_module
>
> Also a new system call.
>
> > - added sections regarding containers
>
> This is not enabled by default. Not all kernels support containers either.
> (but as mentioned previously, these rules are generic for all systems.) So,
> I would disregard that section for the moment. I will be doing some more
> reorganizing of the rules in the near future that will have some base rules
> and then some extended rules. This will go into the extended rules.
>
> -Steve
>
> > Thanks,
> > Andrew Ruch
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-17 18:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-17 16:30 stig.rules example in audit-2.3.7 Andrew Ruch
2014-11-17 16:56 ` Steve Grubb
2014-11-17 18:41 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox