* [PATCH v1] add clock_adjtime to certification rulesets
@ 2021-11-04 21:01 Richard Guy Briggs
2021-11-04 21:26 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Richard Guy Briggs @ 2021-11-04 21:01 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs
The clock_adjtime syscall is missing from several certification rulesets that
monitor changes to the system clock. Add it.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
rules/30-nispom.rules | 4 ++--
rules/30-pci-dss-v31.rules | 4 ++--
rules/30-stig.rules | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules
index e3873ef95069..ecac01a0b4e1 100644
--- a/rules/30-nispom.rules
+++ b/rules/30-nispom.rules
@@ -10,8 +10,8 @@
## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules
index 7062b35f165c..0251bcafcc03 100644
--- a/rules/30-pci-dss-v31.rules
+++ b/rules/30-pci-dss-v31.rules
@@ -77,8 +77,8 @@
## We will place rules to check time synchronization
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=10.4.2b-time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=10.4.2b-time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change
+-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change
+-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=10.4.2b-time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=10.4.2b-time-change
diff --git a/rules/30-stig.rules b/rules/30-stig.rules
index 234f239cac06..60384f6b247d 100644
--- a/rules/30-stig.rules
+++ b/rules/30-stig.rules
@@ -26,8 +26,8 @@
## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
--
2.27.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v1] add clock_adjtime to certification rulesets
2021-11-04 21:01 [PATCH v1] add clock_adjtime to certification rulesets Richard Guy Briggs
@ 2021-11-04 21:26 ` Steve Grubb
2021-11-04 21:41 ` Richard Guy Briggs
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2021-11-04 21:26 UTC (permalink / raw)
To: Linux-Audit Mailing List, Richard Guy Briggs
Hello Richard,
On Thursday, November 4, 2021 5:01:10 PM EDT Richard Guy Briggs wrote:
> The clock_adjtime syscall is missing from several certification rulesets
> that monitor changes to the system clock. Add it.
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> rules/30-nispom.rules | 4 ++--
> rules/30-pci-dss-v31.rules | 4 ++--
> rules/30-stig.rules | 4 ++--
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules
> index e3873ef95069..ecac01a0b4e1 100644
> --- a/rules/30-nispom.rules
> +++ b/rules/30-nispom.rules
> @@ -10,8 +10,8 @@
> ## Things that could affect time
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-
> change
> -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
> --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
> --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
> +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=time-change
> +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=time-change
> # Introduced in 2.6.39, commented out because it can make false positives
> #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
> #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
Not sure if you saw this, but directly under the change is a rule for that
syscall, but it's commented out. This is because it is a very noisy event.
Anyone that wants it can enable it.
-Steve
> diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules
> index 7062b35f165c..0251bcafcc03 100644
> --- a/rules/30-pci-dss-v31.rules
> +++ b/rules/30-pci-dss-v31.rules
> @@ -77,8 +77,8 @@
> ## We will place rules to check time synchronization
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> key=10.4.2b-time-change -a always,exit -F arch=b64 -S
> adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F
> arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a
> always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> key=10.4.2b-time-change +-a always,exit -F arch=b32 -S
> clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a
> always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it
> can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F
> key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F
> key=10.4.2b-time-change diff --git a/rules/30-stig.rules
> b/rules/30-stig.rules
> index 234f239cac06..60384f6b247d 100644
> --- a/rules/30-stig.rules
> +++ b/rules/30-stig.rules
> @@ -26,8 +26,8 @@
> ## Things that could affect time
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F
> key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F
> key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime
> -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S
> clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in
> 2.6.39, commented out because it can make false positives #-a always,exit
> -F arch=b32 -S clock_adjtime -F key=time-change
> #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v1] add clock_adjtime to certification rulesets
2021-11-04 21:26 ` Steve Grubb
@ 2021-11-04 21:41 ` Richard Guy Briggs
0 siblings, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2021-11-04 21:41 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux-Audit Mailing List
On 2021-11-04 17:26, Steve Grubb wrote:
> Hello Richard,
>
> On Thursday, November 4, 2021 5:01:10 PM EDT Richard Guy Briggs wrote:
> > The clock_adjtime syscall is missing from several certification rulesets
> > that monitor changes to the system clock. Add it.
> >
> > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > rules/30-nispom.rules | 4 ++--
> > rules/30-pci-dss-v31.rules | 4 ++--
> > rules/30-stig.rules | 4 ++--
> > 3 files changed, 6 insertions(+), 6 deletions(-)
> >
> > diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules
> > index e3873ef95069..ecac01a0b4e1 100644
> > --- a/rules/30-nispom.rules
> > +++ b/rules/30-nispom.rules
> > @@ -10,8 +10,8 @@
> > ## Things that could affect time
> > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-
> > change
> > -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
> > --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
> > --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
> > +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F
> > key=time-change
> > +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> > key=time-change
> > # Introduced in 2.6.39, commented out because it can make false positives
> > #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
> > #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
>
> Not sure if you saw this, but directly under the change is a rule for that
> syscall, but it's commented out. This is because it is a very noisy event.
> Anyone that wants it can enable it.
Well, how about that! No, I didn't see it, not even when I did a git
grep for that symbol. Not sure how I missed that. Yes, that rule *is*
noisy. f35 uses clock_adjtime while rhel8 uses adjtimex for the same
use, which is why I noticed the missing syscall.
Sorry for my noise, please ignore this patch. <blush>
> -Steve
>
> > diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules
> > index 7062b35f165c..0251bcafcc03 100644
> > --- a/rules/30-pci-dss-v31.rules
> > +++ b/rules/30-pci-dss-v31.rules
> > @@ -77,8 +77,8 @@
> > ## We will place rules to check time synchronization
> > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> > key=10.4.2b-time-change -a always,exit -F arch=b64 -S
> > adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F
> > arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a
> > always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> > key=10.4.2b-time-change +-a always,exit -F arch=b32 -S
> > clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a
> > always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> > key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it
> > can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F
> > key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F
> > key=10.4.2b-time-change diff --git a/rules/30-stig.rules
> > b/rules/30-stig.rules
> > index 234f239cac06..60384f6b247d 100644
> > --- a/rules/30-stig.rules
> > +++ b/rules/30-stig.rules
> > @@ -26,8 +26,8 @@
> > ## Things that could affect time
> > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> > key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F
> > key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F
> > key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> > key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime
> > -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S
> > clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in
> > 2.6.39, commented out because it can make false positives #-a always,exit
> > -F arch=b32 -S clock_adjtime -F key=time-change
> > #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-04 21:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-04 21:01 [PATCH v1] add clock_adjtime to certification rulesets Richard Guy Briggs
2021-11-04 21:26 ` Steve Grubb
2021-11-04 21:41 ` Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.