The clock_adjtime syscall is missing from several certification rulesets that monitor changes to the system clock. Add it.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 Signed-off-by: Richard Guy Briggs <[email protected]> --- rules/30-nispom.rules | 4 ++-- rules/30-pci-dss-v31.rules | 4 ++-- rules/30-stig.rules | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules index e3873ef95069..ecac01a0b4e1 100644 --- a/rules/30-nispom.rules +++ b/rules/30-nispom.rules @@ -10,8 +10,8 @@ ## Things that could affect time -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in 2.6.39, commented out because it can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules index 7062b35f165c..0251bcafcc03 100644 --- a/rules/30-pci-dss-v31.rules +++ b/rules/30-pci-dss-v31.rules @@ -77,8 +77,8 @@ ## We will place rules to check time synchronization -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=10.4.2b-time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F key=10.4.2b-time-change diff --git a/rules/30-stig.rules b/rules/30-stig.rules index 234f239cac06..60384f6b247d 100644 --- a/rules/30-stig.rules +++ b/rules/30-stig.rules @@ -26,8 +26,8 @@ ## Things that could affect time -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in 2.6.39, commented out because it can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change -- 2.27.0 -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
