That will probably have to be completely variable. For instance, I run containers directly out of systemd (including namespaced applications that aren't traditional containers) so this is going to get really complicated unless you want to start dictating specific software sets.
Trevor On Fri, Aug 31, 2018 at 3:25 PM Shawn Wells <[email protected]> wrote: > Received an interesting question from a colleague today. > > The various STIG requirements have full paths for auditing, e.g. for > /usr/bin/chage: > > > https://rhel7stig.readthedocs.io/en/latest/medium.html#v-72155-all-uses-of-the-chage-command-must-be-audited-rhel-07-030660 > > Which call for an audit rule similar to: > > -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F > auid!=4294967295 -k privileged-passwd > > > However, on a container platform (e.g. OpenShift), the root user on nodes > can execute chage in its own */usr/bin/* as well as within all the > containers */var/lib/docker/*<UUID>/bin/chage. > > What's the best way to capture this in OVAL rules? Was thinking updating > the regex on path to include the full-path > (/usr/bin/chage|/var/lib/docker/*/bin/chage).... but not sure if that's a > standard path that would work for non-OpenShift platforms. > > +cc Jeff Pullen who asked the question. Jeff... note this is a *public* > mailing list ;) > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
