[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: stig.rules

On Tuesday 06 April 2010 04:14:32 pm rshaw1 umbc edu wrote:
> - Monitoring system startup and shutdown.  I could monitor all the
> relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
> around these.  I'm not sure how to accurately monitor startup at all.

Init is the only thing that knows the system is changing states. Upstart was 
patched to handle this requirement but the older SysVinit package has not been 
patched. You should be able to watch some of the apps in the init package to 
see what is happening. It won't be as nice as the upstart based solution, but 
will log the event.

> - Use of print command (unsuccessful and successful).  I tried modifying
> the "Use of privileged commands" rule to monitor the command-line print
> commands and cupsd, but this didn't catch printing via GUI apps through
> CUPS, and I suspect there must be a better way anyhow.  There are cupsd
> audit entries, but these are from the permission change/deletion rules (I
> did move the print rules above those, close to the top).

Support for auditing anything on the desktop is not really functional. Dbus 
has no way of changing the auid correctly and everything passing through it 
would be attributed to root. The best way to straighten this all out would be 
getting the desktop through a Common Criteria certification so that all this 
would get addressed, but there has never been enough interest to do this.

> If I should just be monitoring these via another facility, that may also
> work.  I'm also pondering the best way to get the RHEL4 machines to send
> their audit logs to a central server, as there seems to be no support for
> audisp at all (unless I'm missing something).

RHEL4 won't be getting any updates to support this as far as I know. I have no 
experience with any other solutions to be able to recommend any of them.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]