On Tue, Apr 6, 2010 at 2:14 PM, <[email protected]> wrote: > I've been trying to set up auditd for STIG compliance. I'm working with > RHEL 5.5 and RHEL4 with their latest default kernels (2.6.18-194 and > 2.6.9-89.0.23) and audit packages (1.7.17-3.el5 and 1.0.16-4.el4_8.1), > though I'm just trying to get it working on a RHEL 5.5 machine to start.
I don't think STIG was ever approved for RHEL-5 which might explain the holes. > The stig.rules sample file is helpful, but I'm having difficulty filling > in the missing parts (which I suppose is probably why they're missing). I > checked Google and the past two years of list archives, and didn't find > anything relevant (though I may have missed it). Specifically: > > - Monitoring system startup and shutdown. I could monitor all the > relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways > around these. I'm not sure how to accurately monitor startup at all. There are always going to be a cool way to monitor startup/shutdown so you have to figure out what is good enough for your environment (or the approval agency has to.. etc). I was thinking aulast might help.. but it doesn't seem to. > - Use of print command (unsuccessful and successful). I tried modifying > the "Use of privileged commands" rule to monitor the command-line print > commands and cupsd, but this didn't catch printing via GUI apps through > CUPS, and I suspect there must be a better way anyhow. There are cupsd > audit entries, but these are from the permission change/deletion rules (I > did move the print rules above those, close to the top). Not going to be much help here either.. hopefully Steve Grubb will see this. > If I should just be monitoring these via another facility, that may also > work. I'm also pondering the best way to get the RHEL4 machines to send > their audit logs to a central server, as there seems to be no support for > audisp at all (unless I'm missing something). > I don't know of anything myself. -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
