On Monday, November 17, 2014 11:56:34 AM Steve Grubb wrote: > On Monday, November 17, 2014 09:30:53 AM Andrew Ruch wrote: > > I was looking through the stig.rules file that is provided with RHEL > > 6.6 and I noticed some differences that I couldn't find in the actual > > STIG. After looking at some of the items, I thought maybe they only > > apply to RHEL 7. Could someone provide some clarification on the > > following: > > > > - removed ftruncate > > This is in the section called: > ##- Unauthorized access attempts to files (unsuccessful) > > Which means we want to catch failed attempts at accessing a file. Ftruncate > takes an fd as a parameter, meaning that open(2) was previously called. > Open(2) is already in the same set of syscall rules. So, if ftruncate is > called with a valid FD, then access was obviously allowed and there is no > need to call it out specifically.
Hmm...did some looking around...just to make sure. Turns out that if a file is opened with O_APPEND flags and ftruncate is called on that descriptor, you can in fact get EPERM. I guess I'll add it back. -Steve > > - added open_by_handle_at > > This is a new way of opening files. The syscall is probably not on RHEL6, > but because the stig.rules file is for all systems in general, its included > in case you are on a new kernel. It may be removed on systems that do not > have it. > > - added finit_module > > Also a new system call. > > > - added sections regarding containers > > This is not enabled by default. Not all kernels support containers either. > (but as mentioned previously, these rules are generic for all systems.) So, > I would disregard that section for the moment. I will be doing some more > reorganizing of the rules in the near future that will have some base rules > and then some extended rules. This will go into the extended rules. > > -Steve > > > Thanks, > > Andrew Ruch > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
