[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


I've been trying to set up auditd for STIG compliance.  I'm working with
RHEL 5.5 and RHEL4 with their latest default kernels (2.6.18-194 and
2.6.9-89.0.23) and audit packages (1.7.17-3.el5 and 1.0.16-4.el4_8.1),
though I'm just trying to get it working on a RHEL 5.5 machine to start. 
The stig.rules sample file is helpful, but I'm having difficulty filling
in the missing parts (which I suppose is probably why they're missing).  I
checked Google and the past two years of list archives, and didn't find
anything relevant (though I may have missed it).  Specifically:

- Monitoring system startup and shutdown.  I could monitor all the
relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
around these.  I'm not sure how to accurately monitor startup at all.

- Use of print command (unsuccessful and successful).  I tried modifying
the "Use of privileged commands" rule to monitor the command-line print
commands and cupsd, but this didn't catch printing via GUI apps through
CUPS, and I suspect there must be a better way anyhow.  There are cupsd
audit entries, but these are from the permission change/deletion rules (I
did move the print rules above those, close to the top).

If I should just be monitoring these via another facility, that may also
work.  I'm also pondering the best way to get the RHEL4 machines to send
their audit logs to a central server, as there seems to be no support for
audisp at all (unless I'm missing something).



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]