[PATCH v1] add clock_adjtime to certification rulesets
Richard Guy Briggs
rgb at redhat.com
Thu Nov 4 21:01:10 UTC 2021
The clock_adjtime syscall is missing from several certification rulesets that
monitor changes to the system clock. Add it.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
rules/30-nispom.rules | 4 ++--
rules/30-pci-dss-v31.rules | 4 ++--
rules/30-stig.rules | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules
index e3873ef95069..ecac01a0b4e1 100644
--- a/rules/30-nispom.rules
+++ b/rules/30-nispom.rules
@@ -10,8 +10,8 @@
## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules
index 7062b35f165c..0251bcafcc03 100644
--- a/rules/30-pci-dss-v31.rules
+++ b/rules/30-pci-dss-v31.rules
@@ -77,8 +77,8 @@
## We will place rules to check time synchronization
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=10.4.2b-time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=10.4.2b-time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change
+-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change
+-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=10.4.2b-time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=10.4.2b-time-change
diff --git a/rules/30-stig.rules b/rules/30-stig.rules
index 234f239cac06..60384f6b247d 100644
--- a/rules/30-stig.rules
+++ b/rules/30-stig.rules
@@ -26,8 +26,8 @@
## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
+-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F key=time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
--
2.27.0
More information about the Linux-audit
mailing list