Hello Josh, > > Hi I am using oscap on centos 7.1 to run a PCI profile check. The system is > 64 bit (see arch and uname -a). However, when I run the remediation I get > some 32 bit runs (see /etc/audit/rules.d/audit_time_rules.rules). Can > anybody explain why this would be? Or is it a bug?
On 64-bit system you want to track both 32-bit and 64-bit system calls via audit (since also 32-bit applications can do something wrong there...). > > > COMMAND > oscap xccdf eval --remediate --tailoring-file tailoring.xml --report > report.html --profile xccdf_org.ssgproject.content_profile_pci-dss_with_ot > /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml > > CONFIRM 64BIT > [root@test ~]# arch > x86_64 > [root@test ~]# uname -a > Linux test.checkoutstagingapp.com 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 > 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > 32 BIT REMEDIATION RULE > [root@test ~]# cat /etc/audit/rules.d/audit_time_rules.rules > -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k > audit_time_rules > -w /etc/localtime -p wa -k audit_time_rules This is expected / OK under assumption there's also corresponding entry for 64-bit system -- something like: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules The "stime" call doesn't have 64-bit equivalent: $ ausyscall x86_64 stime Unknown syscall stime using x86_64 lookup table $ ausyscall i686 stime stime 25 that's why it wouldn't be present in the 64-bit equivalent (but the rest of the rule except arch would be same). > Thanks, > > > Josh Moore > Chief Architect > TarokoSoftware > HTH. Regards, Jan _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list