stig.rules example in audit-2.3.7

Steve Grubb sgrubb at redhat.com
Mon Nov 17 18:41:27 UTC 2014 

On Monday, November 17, 2014 11:56:34 AM Steve Grubb wrote:
> On Monday, November 17, 2014 09:30:53 AM Andrew Ruch wrote:
> > I was looking through the stig.rules file that is provided with RHEL
> > 6.6 and I noticed some differences that I couldn't find in the actual
> > STIG. After looking at some of the items, I thought maybe they only
> > apply to RHEL 7. Could someone provide some clarification on the
> > following:
> > 
> > - removed ftruncate
> 
> This is in the section called:
> ##- Unauthorized access attempts to files (unsuccessful)
> 
> Which means we want to catch failed attempts at accessing a file. Ftruncate
> takes an fd as a parameter, meaning that open(2) was previously called.
> Open(2) is already in the same set of syscall rules. So, if ftruncate is
> called with a valid FD, then access was obviously allowed and there is no
> need to call it out specifically.

Hmm...did some looking around...just to make sure. Turns out that if a file is 
opened with O_APPEND flags and ftruncate is called on that descriptor, you can 
in fact get EPERM. I guess I'll add it back.

-Steve


> > - added open_by_handle_at
> 
> This is a new way of opening files. The syscall is probably not on RHEL6,
> but because the stig.rules file is for all systems in general, its included
> in case you are on a new kernel. It may be removed on systems that do not
> have it.
> > - added finit_module
> 
> Also a new system call.
> 
> > - added sections regarding containers
> 
> This is not enabled by default. Not all kernels support containers either.
> (but as mentioned previously, these rules are generic for all systems.) So,
> I would disregard that section for the moment. I will be doing some more
> reorganizing of the rules in the near future that will have some base rules
> and then some extended rules. This will go into the extended rules.
> 
> -Steve
> 
> > Thanks,
> > Andrew Ruch
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list