IvDoorn
commented
11 months ago I do not like the approach with
describe.onehere, since it would allow to use theaarch64audit rules onx86_64which would then not cover all required events.I think it would be better to split the encasing
ifblocks into separate sections forx86_64andaarch64. What do you think about this approach?
I'm not against it :)
Do you mean that for x86_64 we enforce:
its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }and for aarch64:
its('content') { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlinkat -S renameat -F auid>=#{uid_min} -F auid!=4294967295 -k delete$/) }Or should we still use describe.one for aarch64? Because I'm not sure if the missing symbols is a thing for Amazon Gravitron specifically, or general architecture issue.
schurzi
The auditd rules as indicated in the CIS rules, don't work on AL2023 Gravitron (aarch64) instances. The unavailable syscalls:
For full consistency, I've updated the checks to support the previously used auditd rule, and also added a second rule with the unavailable syscall removed.
The stime syscall is also not available, but in cis-dil-benchmark-4.1.5 this syscall is already excluded from the line.
Signed-off-by: Ivo van Doorn ivovandoorn@samotics.com