Got it. Thanks,
Josh On Apr 3, 2017, 5:56 AM -0400, Jan Lieskovsky <jlies...@redhat.com>, wrote: > Hello Josh, > > > > > Hi I am using oscap on centos 7.1 to run a PCI profile check. The system is > > 64 bit (see arch and uname -a). However, when I run the remediation I get > > some 32 bit runs (see /etc/audit/rules.d/audit_time_rules.rules). Can > > anybody explain why this would be? Or is it a bug? > > On 64-bit system you want to track both 32-bit and 64-bit system calls via > audit (since also 32-bit applications can do something wrong there...). > > > > > > > COMMAND > > oscap xccdf eval --remediate --tailoring-file tailoring.xml --report > > report.html --profile xccdf_org.ssgproject.content_profile_pci-dss_with_ot > > /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml > > > > CONFIRM 64BIT > > [root@test ~]# arch > > x86_64 > > [root@test ~]# uname -a > > Linux test.checkoutstagingapp.com 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 > > 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > > > 32 BIT REMEDIATION RULE > > [root@test ~]# cat /etc/audit/rules.d/audit_time_rules.rules > > -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k > > audit_time_rules > > -w /etc/localtime -p wa -k audit_time_rules > > This is expected / OK under assumption there's also corresponding > entry for 64-bit system -- something like: > > -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules > > The "stime" call doesn't have 64-bit equivalent: > $ ausyscall x86_64 stime > Unknown syscall stime using x86_64 lookup table > > $ ausyscall i686 stime > stime 25 > > that's why it wouldn't be present in the 64-bit equivalent (but the rest > of the rule except arch would be same). > > > Thanks, > > > > > > Josh Moore > > Chief Architect > > TarokoSoftware > > > > HTH. > > Regards, Jan
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
