Hi Aaron, These are enabled by default if you did a fresh install of 1.6/1.6.1. If you run the rootcheck_control tool you will be able to see what has been reported. If you want to receive email alerts on these, follow the instructions on that link to create a custom rule.
If you upgraded from 1.5 or below, you need to add the CIS files to your rootcheck config. Ex: <rootcheck> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Oct 25, 2008 at 10:30 AM, Aaron Bliss <[EMAIL PROTECTED]> wrote: > Hi all, > I'm running version 1.6.1. I'm looking for documentation on how to enable > CIS benchmark auditing on the server and clients. I cam across this link in > the wiki, but I didn't see any documentation on configuring/enabling the > auditing policy or rules. Thanks. > > Aaron > > http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy >
