On Monday, November 17, 2014 09:30:53 AM Andrew Ruch wrote: > I was looking through the stig.rules file that is provided with RHEL > 6.6 and I noticed some differences that I couldn't find in the actual > STIG. After looking at some of the items, I thought maybe they only > apply to RHEL 7. Could someone provide some clarification on the > following: > > - removed ftruncate
This is in the section called: ##- Unauthorized access attempts to files (unsuccessful) Which means we want to catch failed attempts at accessing a file. Ftruncate takes an fd as a parameter, meaning that open(2) was previously called. Open(2) is already in the same set of syscall rules. So, if ftruncate is called with a valid FD, then access was obviously allowed and there is no need to call it out specifically. > - added open_by_handle_at This is a new way of opening files. The syscall is probably not on RHEL6, but because the stig.rules file is for all systems in general, its included in case you are on a new kernel. It may be removed on systems that do not have it. > - added finit_module Also a new system call. > - added sections regarding containers This is not enabled by default. Not all kernels support containers either. (but as mentioned previously, these rules are generic for all systems.) So, I would disregard that section for the moment. I will be doing some more reorganizing of the rules in the near future that will have some base rules and then some extended rules. This will go into the extended rules. -Steve > Thanks, > Andrew Ruch > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
