On May 15, 2015 5:27 PM, "The O.G." <theoriginalg...@gmail.com> wrote: > > So, does that mean the best way to understand how the system policy audit works is to basically read the source code in rootcheck system? >
It simply means I cannot answer many questions about it. Reading the aource is one way to get a better understanding. Someone with more knowledge about the topic answering is another way. I will definitely add this to my (not)short list of things to dig into though. > On Fri, May 15, 2015 at 5:04 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Tue, May 12, 2015 at 6:57 PM, autodidactic <theoriginalg...@gmail.com> wrote: >> > Are there any updates to this feature or documentation about it? I see vary >> > raw documentation in the sample CIS benchark policy audit files, but leaves >> > me guessing about some of it? I want to write the policy for the newer CIS >> > benchmarks for EL6 and EL7... any help or pointers to where I can learn more >> > would be helpful... >> > >> >> I haven't written anything about it, and I haven't looked into it >> enough to know the answers. >> >> > also, i'm not sure how to implement a permissions check via this system. is >> > it possible or perhaps it is not? >> > >> > >> > On Thursday, July 10, 2008 at 12:43:36 PM UTC-7, Daniel Cid wrote: >> >> >> >> Hi list, >> >> >> >> I just posted in my blog about the new support for CIS benchmarks on >> >> OSSEC and I want to hear >> >> the feedback anyone may have. >> >> >> >> Link: http://www.ossec.net/dcid/?p=137 >> >> >> >> >> >> " >> >> We just included support in the OSSEC Policy monitor to audit if a >> >> system is in compliance with the CIS Security Benchmarks >> >> (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are >> >> supported - the other versions will be soon). >> >> >> >> If you want to try it out manually and provide some feedback to us, >> >> please follow the instructions bellow to test: >> >> >> >> >> >> First, grab the latest CVS snapshot and compile it (it will be >> >> included on v1.6 and above): >> >> >> >> # wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz >> >> # tar -zxvf ossec-hids-080710.tar.gz >> >> # cd ossec-hids-080710/src/ >> >> # make clean >> >> # make libs >> >> # cd rootcheck >> >> # make binary >> >> >> >> The binary ossec-rootcheck will be created on the current directory >> >> and we can start using it. A simple scan on my Ubuntu >> >> box looked like this: (note, that it will do all the normal rootcheck >> >> tests plus the CIS scans -- just grep for CIS if you don't want to see >> >> the rest): >> >> >> >> # ./ossec-rootcheck >> >> .. >> >> >> >> [INFO]: System Audit: CIS - Testing against the CIS Debian Linux >> >> Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition >> >> scheme - /tmp is not on its own partition. File: /etc/fstab. >> >> Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition >> >> scheme - /var is not on its own partition. File: /etc/fstab. >> >> Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - >> >> Root login allowed. File: /etc/ssh/sshd_config. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - >> >> Sysstat not enabled. File: /etc/default/sysstat. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 4.18 - Disable standard >> >> boot services - Squid Enabled. File: /etc/init.d/squid. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition >> >> /media without 'nodev' set. File: /etc/fstab. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition >> >> /media without 'nosuid' set. File: /etc/fstab. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted >> >> removable partition /media. File: /etc/fstab. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> [INFO]: System Audit: CIS - Debian Linux 8.8 - GRUB Password not >> >> set. File: /boot/grub/menu.lst. Reference: >> >> http://www.ossec.net/wiki/index.php/CIS_DebianLinux . >> >> >> >> .. >> >> >> >> >> >> Anyone here using CIS (or FDCC)? As always, feedback and suggestions >> >> are welcome. >> >> " >> >> >> >> >> >> Thanks, >> >> >> >> -- >> >> Daniel B. Cid >> >> dcid ( at ) ossec.net >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.