Re: stig.rules example in audit-2.3.7
On Monday, November 17, 2014 09:30:53 AM Andrew Ruch wrote:
I was looking through the stig.rules file that is provided with RHEL
6.6 and I noticed some differences that I couldn't find in the actual
STIG. After looking at some of the items, I thought maybe they only
apply to RHEL 7. Could someone provide some clarification on the
following:
- removed ftruncate
This is in the section called:
##- Unauthorized access attempts to files (unsuccessful)
Which means we want to catch failed attempts at accessing a file. Ftruncate
takes an fd as a parameter, meaning that open(2) was previously called.
Open(2) is already in the same set of syscall rules. So, if ftruncate is
called with a valid FD, then access was obviously allowed and there is no need
to call it out specifically.
- added open_by_handle_at
This is a new way of opening files. The syscall is probably not on RHEL6, but
because the stig.rules file is for all systems in general, its included in case
you are on a new kernel. It may be removed on systems that do not have it.
- added finit_module
Also a new system call.
- added sections regarding containers
This is not enabled by default. Not all kernels support containers either.
(but as mentioned previously, these rules are generic for all systems.) So, I
would disregard that section for the moment. I will be doing some more
reorganizing of the rules in the near future that will have some base rules
and then some extended rules. This will go into the extended rules.
-Steve
Thanks,
Andrew Ruch
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit