stime(2) auditing on x86_64

Todd, Charles CTODD at ball.com
Sun Oct 28 21:51:03 UTC 2007 

> -----Original Message-----
> From: Steve Grubb
> Sent: Saturday, October 27, 2007 10:55 AM
> Subject: Re: stime(2) auditing on x86_64
> 
> On Saturday 27 October 2007 12:29:39 am Todd, Charles wrote:
> > I was trying to get my system to pass a System Readiness 
> Review (SRR) 
> > from disa.mil and it would appear that stime(2) is not 
> audited under 
> > x86_64, either in v1.0.15 or v1.2.1 of auditd.
> 
> That is because x86_64 does not have that syscall. It uses 
> settimeofday for the same functionality. But, it does exist 
> in the 32 bit compatibility layer. 

Okay, I understand the bi-arch thing except one thing: does that mean
the 32-bit compatability layer is ultimately calling the 64-bit version?
If I audit settimeofday(), will it grab both the 64-bit version as well
as the brokered 32-bit stime() call?  My gut tells me yes, but I wanted
to ask just to be sure.

> > A careful observer will note that the CAPP suggested configuration 
> > already captures adjtimex and settimeofday.  I just want to pass my 
> > test, but is there overlap here that I should push back on?
> 
> Not really, I think DISA is telling you the intent and that 
> needs to be interpretted/extended to cover bi-arch systems. I 
> should probably update the man pages to clarify things 
> regarding bi-arch systems. I think Matt Booth pointed out 
> something similar a week or two ago.
> 

DISA's intent and their SRRs have always been two completely separate
entities.  Testers only see that I don't have that flag, and less
resourceful security folks won't know how to argue back.  Ultimately, we
need to teach DISA to write better tests.  

Thanks for the on-target response.  Sorry to see you were checking
e-mail on the weekend. :-)

Charlie Todd



This message and any enclosures are intended only for the addressee.  Please  
notify the sender by email if you are not the intended recipient.  If you are  
not the intended recipient, you may not use, copy, disclose, or distribute this  
message or its contents or enclosures to any other person and any such actions  
may be unlawful.  Ball reserves the right to monitor and review all messages  
and enclosures sent to or from this email address.

More information about the Linux-audit mailing list