Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore unknown syscalls on aarch64 #157

Merged
merged 2 commits into from
Nov 16, 2023
Merged

Ignore unknown syscalls on aarch64 #157

merged 2 commits into from
Nov 16, 2023

Conversation

IvDoorn
Copy link
Contributor

@IvDoorn IvDoorn commented Nov 16, 2023
edited by schurzi
Loading

The auditd rules as indicated in the CIS rules, don't work on AL2023 Gravitron (aarch64) instances. The unavailable syscalls:

  • unlink
  • rename
  • creat
  • open
  • chown
  • lchown
  • chmod

For full consistency, I've updated the checks to support the previously used auditd rule, and also added a second rule with the unavailable syscall removed.

The stime syscall is also not available, but in cis-dil-benchmark-4.1.5 this syscall is already excluded from the line.

Signed-off-by: Ivo van Doorn ivovandoorn@samotics.com

@IvDoorn IvDoorn force-pushed the ignore-unknown-syscalls-aarch64 branch 2 times, most recently from ba23680 to 24b5e8d Compare November 16, 2023 11:33
@IvDoorn
Ignore unknown syscalls on aarch64
1b713da 
The auditd rules as indicated in the CIS rules, don't work
on AL2023 Gravitron (aarch64) instances. The unavailable syscalls:
 - unlink
 - rename
 - creat
 - open
 - chown
 - lchown
 - chmod

For full consistency, I've updated the checks to support the previously
used auditd rule, and also added a second rule with the unavailable
syscall removed.

The stime syscall is also not available, but in cis-dil-benchmark-4.1.5
this syscall is already excluded from the line.

Signed-off-by: Ivo van Doorn <ivovandoorn@samotics.com>
@IvDoorn IvDoorn force-pushed the ignore-unknown-syscalls-aarch64 branch from 24b5e8d to 1b713da Compare November 16, 2023 11:54
schurzi
schurzi requested changes Nov 16, 2023
View reviewed changes
Copy link
Contributor

@schurzi schurzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not like the approach with describe.one here, since it would allow to use the aarch64 audit rules on x86_64 which would then not cover all required events.

I think it would be better to split the encasing if blocks into separate sections for x86_64 and aarch64. What do you think about this approach?

@IvDoorn
Copy link
Contributor Author

IvDoorn commented Nov 16, 2023

I do not like the approach with describe.one here, since it would allow to use the aarch64 audit rules on x86_64 which would then not cover all required events.

I think it would be better to split the encasing if blocks into separate sections for x86_64 and aarch64. What do you think about this approach?

I'm not against it :)
Do you mean that for x86_64 we enforce:

its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }

and for aarch64:

its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlinkat -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }

Or should we still use describe.one for aarch64? Because I'm not sure if the missing symbols is a thing for Amazon Gravitron specifically, or general architecture issue.

@schurzi
Copy link
Contributor

schurzi commented Nov 16, 2023

Exactly.

Regarding the question if this is a ARM or a Gravitron thing I am also a bit puzzled. I have taken a look at the audit code for different architectures and I am inclined to think, that it is a general thing.

For refference:
https://github.com/linux-audit/audit-userspace/blob/master/lib/aarch64_table.h
https://github.com/linux-audit/audit-userspace/blob/master/lib/x86_64_table.h

And looking at these tables, there might be additional syscalls we need to add, to keep up with new developments in the linux kernel/audit, but that is for another PR ;)

@IvDoorn
Split the x86_64 and aarch64 branches
9b28e65 
Split the architecture branches, to force the the logging
of the correct syscalls for the each architecture.

Signed-off-by: Ivo van Doorn <ivovandoorn@samotics.com>
@IvDoorn IvDoorn requested a review from schurzi November 16, 2023 15:30
@schurzi schurzi merged commit e26995f into dev-sec:master Nov 16, 2023
4 checks passed
@schurzi
Copy link
Contributor

schurzi commented Nov 16, 2023

Awesome, thank you!

@IvDoorn IvDoorn deleted the ignore-unknown-syscalls-aarch64 branch November 16, 2023 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schurzi schurzi Awaiting requested review from schurzi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@IvDoorn @schurzi