[PATCH v1] add clock_adjtime to certification rulesets
Steve Grubb
sgrubb at redhat.com
Thu Nov 4 21:26:17 UTC 2021
Hello Richard,
On Thursday, November 4, 2021 5:01:10 PM EDT Richard Guy Briggs wrote:
> The clock_adjtime syscall is missing from several certification rulesets
> that monitor changes to the system clock. Add it.
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> rules/30-nispom.rules | 4 ++--
> rules/30-pci-dss-v31.rules | 4 ++--
> rules/30-stig.rules | 4 ++--
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/rules/30-nispom.rules b/rules/30-nispom.rules
> index e3873ef95069..ecac01a0b4e1 100644
> --- a/rules/30-nispom.rules
> +++ b/rules/30-nispom.rules
> @@ -10,8 +10,8 @@
> ## Things that could affect time
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-
> change
> -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
> --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
> --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
> +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=time-change
> +-a always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=time-change
> # Introduced in 2.6.39, commented out because it can make false positives
> #-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
> #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
Not sure if you saw this, but directly under the change is a rule for that
syscall, but it's commented out. This is because it is a very noisy event.
Anyone that wants it can enable it.
-Steve
> diff --git a/rules/30-pci-dss-v31.rules b/rules/30-pci-dss-v31.rules
> index 7062b35f165c..0251bcafcc03 100644
> --- a/rules/30-pci-dss-v31.rules
> +++ b/rules/30-pci-dss-v31.rules
> @@ -77,8 +77,8 @@
> ## We will place rules to check time synchronization
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> key=10.4.2b-time-change -a always,exit -F arch=b64 -S
> adjtimex,settimeofday -F key=10.4.2b-time-change --a always,exit -F
> arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change --a
> always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> key=10.4.2b-time-change +-a always,exit -F arch=b32 -S
> clock_settime,clock_adjtime -F a0=0x0 -F key=10.4.2b-time-change +-a
> always,exit -F arch=b64 -S clock_settime,clock_adjtime -F a0=0x0 -F
> key=10.4.2b-time-change # Introduced in 2.6.39, commented out because it
> can make false positives #-a always,exit -F arch=b32 -S clock_adjtime -F
> key=10.4.2b-time-change #-a always,exit -F arch=b64 -S clock_adjtime -F
> key=10.4.2b-time-change diff --git a/rules/30-stig.rules
> b/rules/30-stig.rules
> index 234f239cac06..60384f6b247d 100644
> --- a/rules/30-stig.rules
> +++ b/rules/30-stig.rules
> @@ -26,8 +26,8 @@
> ## Things that could affect time
> -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F
> key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F
> key=time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F
> key=time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F
> key=time-change +-a always,exit -F arch=b32 -S clock_settime,clock_adjtime
> -F a0=0x0 -F key=time-change +-a always,exit -F arch=b64 -S
> clock_settime,clock_adjtime -F a0=0x0 -F key=time-change # Introduced in
> 2.6.39, commented out because it can make false positives #-a always,exit
> -F arch=b32 -S clock_adjtime -F key=time-change
> #-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
More information about the Linux-audit
mailing list