auditd_time_change clock_settime failed on RHEL 8

[warrenbel]

I am getting a fail on clock_settime

I think the missing is the "-F a0=0x0"

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key= -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=

[tom-krieger]

Can you please be a bit more precise? I can not see any issue with the auditd rules on Rhel 8.

According to the CIS Benchmark for RHEL 8 v 2.0.0 the following rules should be added: -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time- change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time- change -w /etc/localtime -p wa -k time-change

And that's what the module does.

From where did you get the "-F a0=0x0" information?

[warrenbel]

okay right. CIS RHEL8 v2.0.0 document does not have the "-F a0=0x0".

I am using the OpenSCAP with profile CIS RHEL8 v2.0.0, released 2022-02-23

it should be the same version, I am not sure why OpenSCAP has additional filter. I will try reaching out to them.

[tom-krieger]

Please keep me informed. I'm curious about results. I leave this one open for the moment

[warrenbel]

there is no clear solution yet. CIS is releasing CIS v3.0,0 Benchmark But they said they're still expecting the following rules:

-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change

RedHat however is recommending to add -F a0=0x0

[tom-krieger]

Is there any news in that or can we close this issue?

[tom-krieger]

As there is no new information I close this now.