Hi all. I have a couple of more questions on enabling CIS auditing. Specifically, would it be possible to add support by default to the audit files for CentOS? I've verified that CentOS 5 works great against the cis_rhel5_linux_rcl.txt audit file. I'll be verfiying other versions of CentOS as well. Also, I got the cis_rhel5_linux_rcl.txt audit file to work against a box running CentOS 5.2. Contents of /etc/red-release are: CentOS release 5.2 (Final)
I added the following line to the cis_rhel5_linux_rcl.txt audit file to get the auditing to work: f:/etc/redhat-release -> =:CentOS release 5.2 (Final) But I couldn't figure out the syntax to make regular expressions to work, to take into account .x OS upgrades. Can someone post what should be the comprible line for CentOS to this: r:^Red Hat Enterprise Linux \S+ release 5; Thanks again. Aaron On Tue, Oct 28, 2008 at 4:55 PM, Aaron Bliss <[EMAIL PROTECTED]> wrote: > Daniel, > That was it. Server and client were upgraded from earlier releases. CIS > auditing now working. Thanks for your help. > > Aaron > > > On Tue, Oct 28, 2008 at 3:18 PM, Daniel Cid <[EMAIL PROTECTED]> wrote: > >> >> Hi Aaron, >> >> These are enabled by default if you did a fresh install of 1.6/1.6.1. >> If you run the rootcheck_control tool >> you will be able to see what has been reported. If you want to receive >> email alerts on these, follow >> the instructions on that link to create a custom rule. >> >> If you upgraded from 1.5 or below, you need to add the CIS files to >> your rootcheck config. Ex: >> >> <rootcheck> >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> </rootcheck> >> >> Hope it helps. >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Sat, Oct 25, 2008 at 10:30 AM, Aaron Bliss <[EMAIL PROTECTED]> >> wrote: >> > Hi all, >> > I'm running version 1.6.1. I'm looking for documentation on how to >> enable >> > CIS benchmark auditing on the server and clients. I cam across this >> link in >> > the wiki, but I didn't see any documentation on configuring/enabling the >> > auditing policy or rules. Thanks. >> > >> > Aaron >> > >> > http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy >> > >> > >
