* RHEL 8 audit rules
@ 2019-11-06 9:39 MAUPERTUIS, PHILIPPE
2019-11-06 16:49 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: MAUPERTUIS, PHILIPPE @ 2019-11-06 9:39 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1412 bytes --]
Hi,
The rules proposed in /usr/share/doc/audit/rules/ contain 32 bits stuff.
For example :
## 10.2.5.b All elevation of privileges is logged
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
Is it still necessary for RHEL 8 ?
Would the 21-no32bit.rules be enough ?
Can we run any 32 bits binary on rhel 8 ?
Regards
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
[-- Attachment #1.2: Type: text/html, Size: 3855 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: RHEL 8 audit rules
2019-11-06 9:39 RHEL 8 audit rules MAUPERTUIS, PHILIPPE
@ 2019-11-06 16:49 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2019-11-06 16:49 UTC (permalink / raw)
To: linux-audit; +Cc: MAUPERTUIS, PHILIPPE
On Wednesday, November 6, 2019 4:39:54 AM EST MAUPERTUIS, PHILIPPE wrote:
> The rules proposed in /usr/share/doc/audit/rules/ contain 32 bits stuff.
> For example :
> ## 10.2.5.b All elevation of privileges is logged
> -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F
> key=10.2.5.b-elevated-privs-session -a always,exit -F arch=b32 -S setuid
> -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
>
> Is it still necessary for RHEL 8 ?
For RHEL8 itself, no. But the 32 bit ABI is available for legacy programs.
> Would the 21-no32bit.rules be enough ?
If you know for certain that no 32 bit apps will ever be used, then yes. And
then you can also delete all 32 bit rules to improve performance.
This gives me an idea that perhaps the sample rules could be split up into 32
and 64 bit so that we can improve system performance ever so slightly.
> Can we run any 32 bits binary on rhel 8 ?
Yep. And that also means that a malicious python program can call the 32bit
ABI in an attempt at avoiding detection.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-06 16:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-06 9:39 RHEL 8 audit rules MAUPERTUIS, PHILIPPE
2019-11-06 16:49 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.