-
Task
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
-
While working on https://issues.redhat.com/browse/OCPBUGS-26193 I noticed that some of the audit rules are duplicate in DISA's OCP4 STIG.
See for example item CNTR-OS-000960, which corresponds to SRG-APP-000501-CTR-001265.
See for example the rules for "unlinkat" syscall.
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ... -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Both blocks of syscall rules with -F exit EACCESS and EPERM are equivalent.
The difference is that the first block is more efficient. And actually, the duplication of the audit rules increases the load on the system, as more rules need to be evaluated for each executed syscall.
We need to work with DISA to find and remove the duplicated audit rules.