So, does that mean the best way to understand how the system policy audit works is to basically read the source code in rootcheck system?
On Fri, May 15, 2015 at 5:04 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Tue, May 12, 2015 at 6:57 PM, autodidactic <theoriginalg...@gmail.com> > wrote: > > Are there any updates to this feature or documentation about it? I see > vary > > raw documentation in the sample CIS benchark policy audit files, but > leaves > > me guessing about some of it? I want to write the policy for the newer > CIS > > benchmarks for EL6 and EL7... any help or pointers to where I can learn > more > > would be helpful... > > > > I haven't written anything about it, and I haven't looked into it > enough to know the answers. > > > also, i'm not sure how to implement a permissions check via this system. > is > > it possible or perhaps it is not? > > > > > > On Thursday, July 10, 2008 at 12:43:36 PM UTC-7, Daniel Cid wrote: > >> > >> Hi list, > >> > >> I just posted in my blog about the new support for CIS benchmarks on > >> OSSEC and I want to hear > >> the feedback anyone may have. > >> > >> Link: http://www.ossec.net/dcid/?p=137 > >> > >> > >> " > >> We just included support in the OSSEC Policy monitor to audit if a > >> system is in compliance with the CIS Security Benchmarks > >> (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are > >> supported - the other versions will be soon). > >> > >> If you want to try it out manually and provide some feedback to us, > >> please follow the instructions bellow to test: > >> > >> > >> First, grab the latest CVS snapshot and compile it (it will be > >> included on v1.6 and above): > >> > >> # wget > http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz > >> # tar -zxvf ossec-hids-080710.tar.gz > >> # cd ossec-hids-080710/src/ > >> # make clean > >> # make libs > >> # cd rootcheck > >> # make binary > >> > >> The binary ossec-rootcheck will be created on the current directory > >> and we can start using it. A simple scan on my Ubuntu > >> box looked like this: (note, that it will do all the normal rootcheck > >> tests plus the CIS scans -- just grep for CIS if you don't want to see > >> the rest): > >> > >> # ./ossec-rootcheck > >> .. > >> > >> [INFO]: System Audit: CIS - Testing against the CIS Debian Linux > >> Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition > >> scheme - /tmp is not on its own partition. File: /etc/fstab. > >> Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition > >> scheme - /var is not on its own partition. File: /etc/fstab. > >> Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - > >> Root login allowed. File: /etc/ssh/sshd_config. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - > >> Sysstat not enabled. File: /etc/default/sysstat. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 4.18 - Disable standard > >> boot services - Squid Enabled. File: /etc/init.d/squid. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition > >> /media without 'nodev' set. File: /etc/fstab. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition > >> /media without 'nosuid' set. File: /etc/fstab. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted > >> removable partition /media. File: /etc/fstab. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> [INFO]: System Audit: CIS - Debian Linux 8.8 - GRUB Password not > >> set. File: /boot/grub/menu.lst. Reference: > >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > >> > >> .. > >> > >> > >> Anyone here using CIS (or FDCC)? As always, feedback and suggestions > >> are welcome. > >> " > >> > >> > >> Thanks, > >> > >> -- > >> Daniel B. Cid > >> dcid ( at ) ossec.net > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
