Re: [PATCH v1] add clock_adjtime to certification rulesets
On 2021-11-04 17:26, Steve Grubb wrote: > Hello Richard, > > On Thursday, November 4, 2021 5:01:10 PM EDT Richard Guy Briggs wrote: > > The clock_adjtime syscall is missing from several certification rulesets > > that monitor changes to the system clock. Add it. > > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 > > > > Signed-off-by: Richard Guy Briggs > > --- > > rules/30-nispom.rules | 4 ++-- > > rules/30-pci-dss-v31.rules | 4 ++-- > > rules/30-stig.rules| 4 ++-- > > 3 files changed, 6 insertions(+), 6 deletions(-) > > > > diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules > > index e3873ef95069..ecac01a0b4e1 100644 > > --- a/rules/30-nispom.rules > > +++ b/rules/30-nispom.rules > > @@ -10,8 +10,8 @@ > > ## Things that could affect time > > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time- > > change > > -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change > > --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change > > --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change > > +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F > > key=time-change > > +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F > > key=time-change > > # Introduced in 2.6.39, commented out because it can make false positives > > #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change > > #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change > > Not sure if you saw this, but directly under the change is a rule for that > syscall, but it's commented out. This is because it is a very noisy event. > Anyone that wants it can enable it. Well, how about that! No, I didn't see it, not even when I did a git grep for that symbol. Not sure how I missed that. Yes, that rule *is* noisy. f35 uses clock_adjtime while rhel8 uses adjtimex for the same use, which is why I noticed the missing syscall. Sorry for my noise, please ignore this patch. > -Steve > > > diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules > > index 7062b35f165c..0251bcafcc03 100644 > > --- a/rules/30-pci-dss-v31.rules > > +++ b/rules/30-pci-dss-v31.rules > > @@ -77,8 +77,8 @@ > > ## We will place rules to check time synchronization > > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F > > key=10.4.2b-time-change -a always,exit -F arch=b64 -S > > adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F > > arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a > > always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F > > key=10.4.2b-time-change +-a always,exit -F arch=b32 -S > > clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a > > always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F > > key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it > > can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F > > key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F > > key=10.4.2b-time-change diff --git a/rules/30-stig.rules > > b/rules/30-stig.rules > > index 234f239cac06..60384f6b247d 100644 > > --- a/rules/30-stig.rules > > +++ b/rules/30-stig.rules > > @@ -26,8 +26,8 @@ > > ## Things that could affect time > > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F > > key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F > > key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F > > key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F > > key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime > > -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S > > clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in > > 2.6.39, commented out because it can make false positives #-a always,exit > > -F arch=b32 -S clock_adjtime -F key=time-change > > #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v1] add clock_adjtime to certification rulesets
Hello Richard, On Thursday, November 4, 2021 5:01:10 PM EDT Richard Guy Briggs wrote: > The clock_adjtime syscall is missing from several certification rulesets > that monitor changes to the system clock. Add it. > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 > > Signed-off-by: Richard Guy Briggs > --- > rules/30-nispom.rules | 4 ++-- > rules/30-pci-dss-v31.rules | 4 ++-- > rules/30-stig.rules| 4 ++-- > 3 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules > index e3873ef95069..ecac01a0b4e1 100644 > --- a/rules/30-nispom.rules > +++ b/rules/30-nispom.rules > @@ -10,8 +10,8 @@ > ## Things that could affect time > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time- > change > -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change > --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change > --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change > +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F > key=time-change > +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F > key=time-change > # Introduced in 2.6.39, commented out because it can make false positives > #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change > #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change Not sure if you saw this, but directly under the change is a rule for that syscall, but it's commented out. This is because it is a very noisy event. Anyone that wants it can enable it. -Steve > diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules > index 7062b35f165c..0251bcafcc03 100644 > --- a/rules/30-pci-dss-v31.rules > +++ b/rules/30-pci-dss-v31.rules > @@ -77,8 +77,8 @@ > ## We will place rules to check time synchronization > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F > key=10.4.2b-time-change -a always,exit -F arch=b64 -S > adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F > arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a > always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F > key=10.4.2b-time-change +-a always,exit -F arch=b32 -S > clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a > always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F > key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it > can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F > key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F > key=10.4.2b-time-change diff --git a/rules/30-stig.rules > b/rules/30-stig.rules > index 234f239cac06..60384f6b247d 100644 > --- a/rules/30-stig.rules > +++ b/rules/30-stig.rules > @@ -26,8 +26,8 @@ > ## Things that could affect time > -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F > key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F > key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F > key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F > key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime > -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S > clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in > 2.6.39, commented out because it can make false positives #-a always,exit > -F arch=b32 -S clock_adjtime -F key=time-change > #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v1] add clock_adjtime to certification rulesets
The clock_adjtime syscall is missing from several certification rulesets that monitor changes to the system clock. Add it. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 Signed-off-by: Richard Guy Briggs --- rules/30-nispom.rules | 4 ++-- rules/30-pci-dss-v31.rules | 4 ++-- rules/30-stig.rules| 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules index e3873ef95069..ecac01a0b4e1 100644 --- a/rules/30-nispom.rules +++ b/rules/30-nispom.rules @@ -10,8 +10,8 @@ ## Things that could affect time -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in 2.6.39, commented out because it can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules index 7062b35f165c..0251bcafcc03 100644 --- a/rules/30-pci-dss-v31.rules +++ b/rules/30-pci-dss-v31.rules @@ -77,8 +77,8 @@ ## We will place rules to check time synchronization -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=10.4.2b-time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F key=10.4.2b-time-change diff --git a/rules/30-stig.rules b/rules/30-stig.rules index 234f239cac06..60384f6b247d 100644 --- a/rules/30-stig.rules +++ b/rules/30-stig.rules @@ -26,8 +26,8 @@ ## Things that could affect time -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in 2.6.39, commented out because it can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change -- 2.27.0 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit