Update audit.rules

[Pierre-Gronau-ndaal]

No description provided.

[kovacs-andras]

Hi!
Why the comment CentOS?
Why the 32bit rule?

[Neo23x0]

Hi @kovacs-andras , why are the 32bit rules noisy?

and yes, I merged another PR by you that removed many 32bit rules
BUT I'd like to understand why you consider them noisy. If they aren't really noisy I'd like to keep them because many of our customers run old version of Linux on old hardware and would like to see these applications covered.

PS: just recently a customer asked if our software supported a SUSE Linux 10 version released in 2009, because they still have hundreds of systems running that OS on 32bit arch.

[Pierre-Gronau-ndaal]

Hi! Why the comment CentOS? Why the 32bit rule?

At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls.

[kovacs-andras]

@Neo23x0 Sorry for the late reply. If you want to keep 32 bit rules, that's fine by me. I don't think they would make extra noise but more rules have bigger performance impact. 32 bit rules on a modern system imho don't have any benefit.
https://access.redhat.com/solutions/666333
"Adding a rule for both 32 bit and 64 bit is likely to add overhead without any benefit considering performance of the system."
Ofc. there are a few, terrible, still 32bit AV software but we need to suppress their logs anyways.
There is a rule for 32bit API Exploitation also which should be enough in most cases: https://github.com/Neo23x0/auditd/blob/master/audit.rules#L741-L746

OH my... SLES 10 LTS support ended 7 years ago, isn't it? (I even rebuilt all the SLES11 servers ~4 years ago.) As I can recall, there are major auditd version differences between these old systems and now. On SLES11 it was maybe v1.8 while now it is at least v2-3 on supported systems. So those old kernels and auditd versions won't be able to use rules like https://github.com/Neo23x0/auditd/blob/master/audit.rules#L730-L731
I hope you can convince them to rebuild those servers.

[kovacs-andras]

@Pierre-Gronau-ndaal please check https://github.com/Neo23x0/auditd/blob/master/audit.rules#L741-L746
" 32bit API Exploitation If you are on a 64 bit platform, everything should be running in 64 bit mode. This rule will detect any use of the 32 bit syscalls because this might be a sign of someone exploiting a hole in the 32 bit API."

Instead of "CentOS", "Red Hat based systems" would be more appropriate, but it still would not be true, because the path=/etc/vmware-tools is exactly the same on Alpine, Debian, Ubuntu, SUSE, etc.

[kovacs-andras]

I guess this "exception proves the rule" when the security folks are recommending to support older systems while a sysadmin recommends to move forward to newer ones and not the other way around. :)) I would definitely be happier with colleagues like you.

[Pierre-Gronau-ndaal]

I guess this "exception proves the rule" when the security folks are recommending to support older systems while a sysadmin recommends to move forward to newer ones and not the other way around. :)) I would definitely be happier with colleagues like you.

I´m not sure if you mean me. But I can promise that in my security work I highly recommend to move forward, except a special government approval is needed like in nuclear plants ...

I changed the comment content as you suggested