I've recently been trying to reconcile the audit.rules on my systems vs.
the scap-security-guide, and I'm confused about the ARCH rules.
When is it required to check both 32- and 64-bit architectures?
e.g. the guide says both 32- and 64-bit rules are required to check for
unauthorized access attempts:
# Unauthorized Access attempts (audit_rules_unsuccessful_file_modification)
-a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
-F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
-F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
-F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
-F auid!=4294967295 -k access
But for modifying the network environment, only the 64-bit rule is required:
# Network changes ( audit_rules_networkconfig_modification )
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k
audit_rules_networkconfig_modification
I don't understand why the 32-bit check is required for open() calls but
not sethostname() calls?
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Robert Jacobson Robert.C.Jacobson(a)nasa.gov
Lead System Admin Solar Dynamics Observatory (SDO)
Bldg 14, E222 (301) 286-1591
Show replies by date