RHEL 8 audit rules
Steve Grubb
sgrubb at redhat.com
Wed Nov 6 16:49:56 UTC 2019
On Wednesday, November 6, 2019 4:39:54 AM EST MAUPERTUIS, PHILIPPE wrote:
> The rules proposed in /usr/share/doc/audit/rules/ contain 32 bits stuff.
> For example :
> ## 10.2.5.b All elevation of privileges is logged
> -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F
> key=10.2.5.b-elevated-privs-session -a always,exit -F arch=b32 -S setuid
> -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
>
> Is it still necessary for RHEL 8 ?
For RHEL8 itself, no. But the 32 bit ABI is available for legacy programs.
> Would the 21-no32bit.rules be enough ?
If you know for certain that no 32 bit apps will ever be used, then yes. And
then you can also delete all 32 bit rules to improve performance.
This gives me an idea that perhaps the sample rules could be split up into 32
and 64 bit so that we can improve system performance ever so slightly.
> Can we run any 32 bits binary on rhel 8 ?
Yep. And that also means that a malicious python program can call the 32bit
ABI in an attempt at avoiding detection.
-Steve
More information about the Linux-audit
mailing list