I just checked my ossec.conf I was surprised to find out that the rootcheck for CIS isn't even defined. but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx Santi :)
when I called rootcheck_control I got the following return Resolved events: ** No entries found. Outstanding events: ** No entries found. is this possible? does this need to run a few times (more than once) in order to show anything? maybe it has to do that the rhel6 cis check seems a bit incomplete what does SCORED and NOT SCORED mean in the cis check? i find it hard to believe that my system passed all the tests... Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett: > > I think this is the latest version of those rules: > > > https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt > > On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare <[email protected] > <javascript:>> wrote: > >> also, I'd like to update this page to something more up-to-date (RHEL 6 / >> 7) once I understand how it works and what it does >> >> http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html >> >> reading into it right now... >> >> >> >> Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare: >>> >>> hi folks, >>> >>> i just found this interesting thread. >>> wanted to ask, is there any update with this? how could I contribute? I >>> could do some testing on CentOS 6/RHEL... >>> >>> Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks: >>>> >>>> On 2014-07-23 4:56, Christian Beer wrote: >>>> > Hi I downloaded the Benchmark paper and tool a quick look. >>>> > >>>> > The question is what is to do? As I understand the document one has >>>> to >>>> > copy the script snippets from the audit sections into the CIS text >>>> > files >>>> > and annotate with some information, right? >>>> > >>>> > This seems to me like a copy&paste job and a pull request on github. >>>> >>>> It's a little more involved than that. The CIS checks are performed by >>>> rootcheck and that has it's own synatx. It doesn't just execute >>>> scripts. >>>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
