DRAFT: Fix aarch64 audit rules for unsupported syscalls

[macko1]

Description:

Fixes rules audit_rules_file_deletion_events and audit_rules_unsuccessful_file_modification on aarch64.

Both rules generate /etc/audit/rules.d/*.rules files that include syscalls which do not exist on aarch64 (rmdir, unlink, rename, creat, open). When auditd loads these rules, it fails because the kernel rejects the nonexistent syscalls.

The aarch64 architecture replaced these legacy syscalls with "at" variants (unlinkat, renameat, openat).

The rules now detect aarch64 and write only the syscalls that exist on that architecture:

Bash remediations:

• Detect aarch64 at runtime with uname -m
• On aarch64: write unlinkat, renameat, renameat2 (for file deletion) and openat (for file modification)
• On other architectures: write all syscalls (rmdir, unlink, rename, unlinkat, renameat, renameat2 for file deletion; creat, open, openat for file modification)

OVAL checks:

• Split into aarch64 branch (checks for unlinkat, renameat, renameat2, openat only) and other-arch branch (checks for all syscalls)
• Use the cpe:/a:machine CPE definition to detect aarch64 and select the correct branch

Rules fixed:

audit_rules_file_deletion_events:

• Do not exist on aarch64: rmdir, unlink, rename
• Exist on aarch64: unlinkat, renameat, renameat2

audit_rules_unsuccessful_file_modification:

• Do not exist on aarch64: creat, open
• Exist on aarch64: openat, open_by_handle_at, truncate, ftruncate
• Removed platforms: - not aarch64_arch restriction from rule.yml (rule was completely excluded from aarch64)

Rationale:

Profiles like rhel9/profiles/default.profile select audit_rules_file_deletion_events and audit_rules_unsuccessful_file_modification, not the individual syscall-specific rules. If we excluded these rules from aarch64 (via platform restrictions), auditd would not log any file deletion or modification events on aarch64 systems.

Instead, the rules now work on aarch64 and log the events using the syscalls that exist on that architecture.

• Fixes audit-rules service fails due to unsupported rule group on aarch64 #14196
• Fixes Do not expect auditd rules for obsolete syscalls on arm64/aarch64 architecture #14372

Review Hints:

Build on aarch64:

$ ./build_product rhel9 --datastream

Apply the generated rules and verify:

• auditd loads the rules without errors
• auditd logs file deletion events (unlinkat, renameat, renameat2)
• auditd logs file modification events (openat)

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events' differs.
--- oval:ssg-audit_rules_file_deletion_events:def:1
+++ oval:ssg-audit_rules_file_deletion_events:def:1
@@ -1,4 +1,11 @@
+criteria OR
 criteria AND
+extend_definition oval:ssg-system_info_architecture_aarch_64:def:1
+extend_definition oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1
+extend_definition oval:ssg-audit_rules_file_deletion_events_renameat:def:1
+extend_definition oval:ssg-audit_rules_file_deletion_events_renameat2:def:1
+criteria AND
+extend_definition oval:ssg-system_info_architecture_aarch_64:def:1
 extend_definition oval:ssg-audit_rules_file_deletion_events_rmdir:def:1
 extend_definition oval:ssg-audit_rules_file_deletion_events_unlink:def:1
 extend_definition oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
@@ -4,15 +4,29 @@
 # Perform the remediation for the syscall rule
 # Retrieve hardware architecture of the underlying system
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+# Detect if running on aarch64 architecture
+# This remediation script writes audit rules to /etc/audit/rules.d/ or /etc/audit/audit.rules
+# We need runtime detection because this script must work on any architecture
+AARCH64=false
+[ "$(uname -m)" = "aarch64" ] && AARCH64=true
 
 for ARCH in "${RULE_ARCHS[@]}"
 do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="rmdir unlink unlinkat rename renameat renameat2"
+	if [ "$AARCH64" = true ] && [ "$ARCH" = "b64" ]; then
+		# aarch64 b64 ABI does not have rmdir, unlink, or rename syscalls
+		# These legacy syscalls were replaced by unlinkat and renameat variants
+		# If we try to write rules for them, auditctl will fail with "Syscall name unknown"
+		SYSCALL="unlinkat renameat renameat2"
+		SYSCALL_GROUPING="unlinkat renameat renameat2"
+	else
+		SYSCALL="rmdir unlink unlinkat rename renameat renameat2"
+		SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat renameat2"
+	fi
 	KEY="delete"
-	SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat renameat2"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

OVAL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification' differs.
--- oval:ssg-audit_rules_unsuccessful_file_modification:def:1
+++ oval:ssg-audit_rules_unsuccessful_file_modification:def:1
@@ -1,4 +1,12 @@
+criteria OR
 criteria AND
+extend_definition oval:ssg-system_info_architecture_aarch_64:def:1
+extend_definition oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1
+extend_definition oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1
+extend_definition oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1
+extend_definition oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1
+criteria AND
+extend_definition oval:ssg-system_info_architecture_aarch_64:def:1
 extend_definition oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1
 extend_definition oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1
 extend_definition oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
@@ -1,9 +1,15 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel-core && { ( ! ( ( grep -sqE "^.*\.aarch64$" /proc/sys/kernel/osrelease || grep -sqE "^aarch64$" /proc/sys/kernel/arch; ) ) ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel-core; then
 
 # Perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+# Detect if running on aarch64 architecture
+# This remediation script writes audit rules to /etc/audit/rules.d/ or /etc/audit/audit.rules
+# We need runtime detection because this script must work on any architecture
+AARCH64=false
+[ "$(uname -m)" = "aarch64" ] && AARCH64=true
 
 for ARCH in "${RULE_ARCHS[@]}"
 do
@@ -12,9 +18,17 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS="-F exit=-EACCES"
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
+	if [ "$AARCH64" = true ] && [ "$ARCH" = "b64" ]; then
+		# aarch64 b64 ABI does not have creat or open syscalls
+		# These legacy syscalls were replaced by openat variant
+		# If we try to write rules for them, auditctl will fail with "Syscall name unknown"
+		SYSCALL="openat open_by_handle_at truncate ftruncate"
+		SYSCALL_GROUPING="openat open_by_handle_at truncate ftruncate"
+	else
+		SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
+		SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
+	fi
 	KEY="access"
-	SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping
@@ -327,9 +341,17 @@
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS="-F exit=-EPERM"
 	AUID_FILTERS="-F auid>=1000 -F auid!=unset"
-	SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
+	if [ "$AARCH64" = true ] && [ "$ARCH" = "b64" ]; then
+		# aarch64 b64 ABI does not have creat or open syscalls
+		# These legacy syscalls were replaced by openat variant
+		# If we try to write rules for them, auditctl will fail with "Syscall name unknown"
+		SYSCALL="openat open_by_handle_at truncate ftruncate"
+		SYSCALL_GROUPING="openat open_by_handle_at truncate ftruncate"
+	else
+		SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
+		SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
+	fi
 	KEY="access"
-	SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	unset syscall_a
 unset syscall_grouping

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification'
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
@@ -1 +1 @@
-oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1
+

[openshift-ci]

@macko1: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	d53653c	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.