-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore unknown syscalls on aarch64 #157
Ignore unknown syscalls on aarch64 #157
Conversation
ba23680
to
24b5e8d
Compare
The auditd rules as indicated in the CIS rules, don't work on AL2023 Gravitron (aarch64) instances. The unavailable syscalls: - unlink - rename - creat - open - chown - lchown - chmod For full consistency, I've updated the checks to support the previously used auditd rule, and also added a second rule with the unavailable syscall removed. The stime syscall is also not available, but in cis-dil-benchmark-4.1.5 this syscall is already excluded from the line. Signed-off-by: Ivo van Doorn <ivovandoorn@samotics.com>
24b5e8d
to
1b713da
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not like the approach with describe.one
here, since it would allow to use the aarch64
audit rules on x86_64
which would then not cover all required events.
I think it would be better to split the encasing if
blocks into separate sections for x86_64
and aarch64
. What do you think about this approach?
I'm not against it :)
and for
Or should we still use describe.one for |
Exactly. Regarding the question if this is a ARM or a Gravitron thing I am also a bit puzzled. I have taken a look at the audit code for different architectures and I am inclined to think, that it is a general thing. For refference: And looking at these tables, there might be additional syscalls we need to add, to keep up with new developments in the linux kernel/audit, but that is for another PR ;) |
Split the architecture branches, to force the the logging of the correct syscalls for the each architecture. Signed-off-by: Ivo van Doorn <ivovandoorn@samotics.com>
Awesome, thank you! |
The auditd rules as indicated in the CIS rules, don't work on AL2023 Gravitron (aarch64) instances. The unavailable syscalls:
For full consistency, I've updated the checks to support the previously used auditd rule, and also added a second rule with the unavailable syscall removed.
The stime syscall is also not available, but in cis-dil-benchmark-4.1.5 this syscall is already excluded from the line.
Signed-off-by: Ivo van Doorn ivovandoorn@samotics.com