Joe Thanks for the tip on dropping the 'b32'-based rules on all systems where you are exclusively using a 64 bit OS and 64 bit libraries.
Jeff On Tue, Nov 26, 2024 at 10:57 AM Joe Wulf <joe_w...@yahoo.com> wrote: > Recommend dropping all the 'b32'-based rules on all systems where you are > exclusively using a 64 bit OS and 64 bit libraries. > > Would be nice if the DISA STIGs modernized their audit rules mandates to > take this into account as well as optimizations to blend audit rules > together appropriately (for system and auditing efficiency). This link is > relevant: > https://www.linuxquestions.org/questions/red-hat-31/are-seperate-audit-rules-entries-for-32-and-64-bit-architecture-nessissary-4175465001 > > Thank you. > R, > -Joe > > > > On Tuesday, November 26, 2024 at 10:29:02 AM EST, Jeff Walzer via > scap-security-guide <scap-security-guide@lists.fedorahosted.org> wrote: > > I am reviewing the auditd rules here > <https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules>, > and for example the rules block below lists the rules for Group add delete > modify: > > ## Group add delete modify. This is covered by pam. However, someone could > ## open a file and directly create or modify a user, so we'll watch group > and > ## gshadow for writes > -a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F > auid!=unset -F key=user-modify > -a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F > auid!=unset -F key=user-modify > -a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F > auid!=unset -F key=user-modify > -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F > auid!=unset -F key=user-modify > -a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F > auid!=unset -F key=group-modify > -a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F > auid!=unset -F key=group-modify > -a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 > -F auid!=unset -F key=group-modify > -a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 > -F auid!=unset -F key=group-modify > > I was looking to see if there was a doc that lists the individual auditd > rules and the compliance requirement it would validate. So taking those > rules above and dumping them into a spreadsheet as follows: > > User and Group Management Events > Compliance Requirement Rules > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F > key=user-modify > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F > key=user-modify > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F > key=user-modify > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F > key=user-modify > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F > key=group-modify > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F > key=group-modify > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F > key=group-modify > Group/Role Add, Delete, Modify (Success/Failure) -a always,exit -F > arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F > key=group-modify > > Basically a mapping of compliance requirements and the rules associated > that would be used to validate the compliance requirement. > > Thx > -- > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
