question

[Steve Grubb]

On Monday 03 November 2008 12:21:23 David Flatley wrote:
> I am actually using the suggested parameters from the STIG for UNIX
> guide. I have searched and found the stig.rules on the internet and we are
> going to try them. I also saw the nispom.rules but apparently they are
> for Red hat 5 Kernel 2.6.25 it says in the file?

Yes, those rules use some recent kernel functionality in order to cover all 
the requirements. Those recent kernel updates are in the RHEL5 kernels and 
should work. They will take some re-engineeing to get working on RHEL4.


> We are not using keying but will once we get the stig.rules installed
> they appear to be using the -k flag.

On RHEL4, you can only use keys on the file watches. RHEL5 you can use them on 
both syscall and file watches.


>     We are using audit 1.0.15 and I see 1.0.16 is on the Red Hat site, is
> there a compelling reason to update to the
> 1.0.16 version of audit?.

The change log

1.0.16
- Update time handling for ausearch and aureport to add more keywords
- Fix the ausearch on keyword to tolerate records with no key (#402941)
- num_logs option wasn't working right on shifts (#325561)
- In auditd, resume logging on SIGUSR2 (#325561)
- ausearch needed update for escaped acct fields (#353241)
- Fix parsing filterkeys in fs_watch records

So, this has some fixups for using keys.

-Steve