Rules related to Audit syscalls create invalid configuration for ppc64le

[vojtapolasek]

Description of problem:

Remediation of Audit rules which deal with syscalls decides what lines to put into configuration files based on the result of the following command:

getconf LONG_BIT

In case it returns "32", remediations put only 32-bit related rules into the Audit configuration. In other cases remediations put both 32-bit and 64-bit lines into the file. But this is a problem on ppc64le because if it encounters a 32-bit rule, it fails to process it and therefore rules are not loaded / auditing does not work.

SCAP Security Guide Version:

master

Operating System Version:

RHEL >= 8

Steps to Reproduce:

1. access a ppc64le machine
2. remediate some rule, for example audit_rules_dac_modification_fchmod
3. augenrules --load

Actual Results:

loading of rules is aborted with an error. The error points to a line with a rule like

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

Expected Results:

Audit configuration is properly loaded.

Additional Information/Debugging Steps:

[marcusburghardt]

We should extend the getconf LONG_BIT test and/or include conditionals specific for ppc64le arch.

[vojtapolasek]

Note that there is similar issue on aarch64. 32 bit syscalls are desired, but some 64bit syscalls are not.