Hello Josh,

> 
> Hi I am using oscap on centos 7.1 to run a PCI profile check.  The system is
> 64 bit (see arch and uname -a).  However, when I run the remediation I get
> some 32 bit runs (see /etc/audit/rules.d/audit_time_rules.rules).  Can
> anybody explain why this would be? Or is it a bug?

On 64-bit system you want to track both 32-bit and 64-bit system calls via
audit (since also 32-bit applications can do something wrong there...).

> 
> 
> COMMAND
> oscap xccdf eval --remediate --tailoring-file tailoring.xml --report
> report.html  --profile xccdf_org.ssgproject.content_profile_pci-dss_with_ot
> /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
> 
> CONFIRM 64BIT
> [root@test ~]# arch
> x86_64
> [root@test ~]# uname -a
> Linux test.checkoutstagingapp.com 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6
> 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> 
> 32 BIT REMEDIATION RULE
> [root@test ~]# cat /etc/audit/rules.d/audit_time_rules.rules
> -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
> audit_time_rules
> -w /etc/localtime -p wa -k audit_time_rules

This is expected / OK under assumption there's also corresponding
entry for 64-bit system -- something like:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules

The "stime" call doesn't have 64-bit equivalent:
$ ausyscall x86_64 stime
Unknown syscall stime using x86_64 lookup table

$ ausyscall i686 stime
stime              25

that's why it wouldn't be present in the 64-bit equivalent (but the rest
of the rule except arch would be same).

> Thanks,
> 
> 
> Josh Moore
> Chief Architect
> TarokoSoftware
> 

HTH.

Regards, Jan

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to