when is dual ARCH required in audit.rules?

Tue, 27 Oct 2015 07:01:50 -0700 

I've recently been trying to reconcile the audit.rules on my systems vs.
the scap-security-guide, and I'm confused about the ARCH rules.

When is it required to check both 32- and 64-bit architectures?

e.g. the guide says both 32- and 64-bit rules are required to check for
unauthorized access attempts:

# Unauthorized Access attempts (audit_rules_unsuccessful_file_modification)
-a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
-F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
-F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
-F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
-F auid!=4294967295 -k access


But for modifying the network environment, only the 64-bit rule is required:

# Network changes ( audit_rules_networkconfig_modification )
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k
audit_rules_networkconfig_modification

I don't understand why the 32-bit check is required for open() calls but
not sethostname() calls?

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Robert Jacobson               [email protected]
Lead System Admin       Solar Dynamics Observatory (SDO)
Bldg 14, E222                             (301) 286-1591 

-- 
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

Reply via email to