Re: RHEL 8 audit rules
On Wednesday, November 6, 2019 4:39:54 AM EST MAUPERTUIS, PHILIPPE wrote:
The rules proposed in /usr/share/doc/audit/rules/ contain 32 bits
stuff.
For example :
## 10.2.5.b All elevation of privileges is logged
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F
key=10.2.5.b-elevated-privs-session -a always,exit -F arch=b32 -S setuid
-F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
Is it still necessary for RHEL 8 ?
For RHEL8 itself, no. But the 32 bit ABI is available for legacy programs.
Would the 21-no32bit.rules be enough ?
If you know for certain that no 32 bit apps will ever be used, then yes. And
then you can also delete all 32 bit rules to improve performance.
This gives me an idea that perhaps the sample rules could be split up into 32
and 64 bit so that we can improve system performance ever so slightly.
Can we run any 32 bits binary on rhel 8 ?
Yep. And that also means that a malicious python program can call the 32bit
ABI in an attempt at avoiding detection.
-Steve