stig.rules
Stephen John Smoogen
smooge at gmail.com
Tue Apr 6 21:17:17 UTC 2010
On Tue, Apr 6, 2010 at 2:14 PM, <rshaw1 at umbc.edu> wrote:
> I've been trying to set up auditd for STIG compliance. I'm working with
> RHEL 5.5 and RHEL4 with their latest default kernels (2.6.18-194 and
> 2.6.9-89.0.23) and audit packages (1.7.17-3.el5 and 1.0.16-4.el4_8.1),
> though I'm just trying to get it working on a RHEL 5.5 machine to start.
I don't think STIG was ever approved for RHEL-5 which might explain the holes.
> The stig.rules sample file is helpful, but I'm having difficulty filling
> in the missing parts (which I suppose is probably why they're missing). I
> checked Google and the past two years of list archives, and didn't find
> anything relevant (though I may have missed it). Specifically:
>
> - Monitoring system startup and shutdown. I could monitor all the
> relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
> around these. I'm not sure how to accurately monitor startup at all.
There are always going to be a cool way to monitor startup/shutdown so
you have to figure out what is good enough for your environment (or
the approval agency has to.. etc). I was thinking aulast might help..
but it doesn't seem to.
> - Use of print command (unsuccessful and successful). I tried modifying
> the "Use of privileged commands" rule to monitor the command-line print
> commands and cupsd, but this didn't catch printing via GUI apps through
> CUPS, and I suspect there must be a better way anyhow. There are cupsd
> audit entries, but these are from the permission change/deletion rules (I
> did move the print rules above those, close to the top).
Not going to be much help here either.. hopefully Steve Grubb will see this.
> If I should just be monitoring these via another facility, that may also
> work. I'm also pondering the best way to get the RHEL4 machines to send
> their audit logs to a central server, as there seems to be no support for
> audisp at all (unless I'm missing something).
>
I don't know of anything myself.
--
Stephen J Smoogen.
Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning
More information about the Linux-audit
mailing list