Re: [PATCH v1] add clock_adjtime to certification rulesets
On 2021-11-04 17:26, Steve Grubb wrote:
Hello Richard,
On Thursday, November 4, 2021 5:01:10 PM EDT Richard Guy Briggs wrote:
> The clock_adjtime syscall is missing from several certification rulesets
> that monitor changes to the system clock. Add it.
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> rules/30-nispom.rules | 4 ++--
> rules/30-pci-dss-v31.rules | 4 ++--
> rules/30-stig.rules | 4 ++--
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules
> index e3873ef95069..ecac01a0b4e1 100644
> --- a/rules/30-nispom.rules
> +++ b/rules/30-nispom.rules
> @@ -10,8 +10,8 @@
> ## Things that could affect time
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-
> change
> -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
> --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
> --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
> +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=time-change
> +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=time-change
> # Introduced in 2.6.39, commented out because it can make false positives
> #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
> #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
Not sure if you saw this, but directly under the change is a rule for that
syscall, but it's commented out. This is because it is a very noisy event.
Anyone that wants it can enable it.
Well, how about that! No, I didn't see it, not even when I did a git
grep for that symbol. Not sure how I missed that. Yes, that rule *is*
noisy. f35 uses clock_adjtime while rhel8 uses adjtimex for the same
use, which is why I noticed the missing syscall.
Sorry for my noise, please ignore this patch. <blush>
-Steve
> diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules
> index 7062b35f165c..0251bcafcc03 100644
> --- a/rules/30-pci-dss-v31.rules
> +++ b/rules/30-pci-dss-v31.rules
> @@ -77,8 +77,8 @@
> ## We will place rules to check time synchronization
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> key=10.4.2b-time-change -a always,exit -F arch=b64 -S
> adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F
> arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a
> always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> key=10.4.2b-time-change +-a always,exit -F arch=b32 -S
> clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a
> always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it
> can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F
> key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F
> key=10.4.2b-time-change diff --git a/rules/30-stig.rules
> b/rules/30-stig.rules
> index 234f239cac06..60384f6b247d 100644
> --- a/rules/30-stig.rules
> +++ b/rules/30-stig.rules
> @@ -26,8 +26,8 @@
> ## Things that could affect time
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F
> key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F
> key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime
> -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S
> clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in
> 2.6.39, commented out because it can make false positives #-a always,exit
> -F arch=b32 -S clock_adjtime -F key=time-change
> #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635