RE: stime(2) auditing on x86_64
-----Original Message-----
From: Steve Grubb
Sent: Saturday, October 27, 2007 10:55 AM
Subject: Re: stime(2) auditing on x86_64
On Saturday 27 October 2007 12:29:39 am Todd, Charles wrote:
> I was trying to get my system to pass a System Readiness
Review (SRR)
> from disa.mil and it would appear that stime(2) is not
audited under
> x86_64, either in v1.0.15 or v1.2.1 of auditd.
That is because x86_64 does not have that syscall. It uses
settimeofday for the same functionality. But, it does exist
in the 32 bit compatibility layer.
Okay, I understand the bi-arch thing except one thing: does that mean
the 32-bit compatability layer is ultimately calling the 64-bit version?
If I audit settimeofday(), will it grab both the 64-bit version as well
as the brokered 32-bit stime() call? My gut tells me yes, but I wanted
to ask just to be sure.
> A careful observer will note that the CAPP suggested
configuration
> already captures adjtimex and settimeofday. I just want to pass my
> test, but is there overlap here that I should push back on?
Not really, I think DISA is telling you the intent and that
needs to be interpretted/extended to cover bi-arch systems. I
should probably update the man pages to clarify things
regarding bi-arch systems. I think Matt Booth pointed out
something similar a week or two ago.
DISA's intent and their SRRs have always been two completely separate
entities. Testers only see that I don't have that flag, and less
resourceful security folks won't know how to argue back. Ultimately, we
need to teach DISA to write better tests.
Thanks for the on-target response. Sorry to see you were checking
e-mail on the weekend. :-)
Charlie Todd
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.