Hi Theresa, have a look at this doc:
https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf I was also curious and found the explanation in page 5: Scored: Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score. Not Scored: Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score. Regarding your other question, I am not sure why you don't have alerts, are you sure you added the right config in ossec.conf? Something like <system_audit>path_to_your_cis_rules</system_audit>, remember it needs to be added for the agents. Best On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare <[email protected]> wrote: > I just checked my ossec.conf I was surprised to find out that the > rootcheck for CIS isn't even defined. > but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx > Santi :) > > when I called rootcheck_control I got the following return > Resolved events: > > ** No entries found. > > Outstanding events: > > ** No entries found. > > > is this possible? > does this need to run a few times (more than once) in order to show > anything? > maybe it has to do that the rhel6 cis check seems a bit incomplete > > what does SCORED and NOT SCORED mean in the cis check? > > i find it hard to believe that my system passed all the tests... > > > Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett: >> >> I think this is the latest version of those rules: >> >> >> https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt >> >> On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare <[email protected]> >> wrote: >> >>> also, I'd like to update this page to something more up-to-date (RHEL 6 >>> / 7) once I understand how it works and what it does >>> >>> http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html >>> >>> reading into it right now... >>> >>> >>> >>> Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare: >>>> >>>> hi folks, >>>> >>>> i just found this interesting thread. >>>> wanted to ask, is there any update with this? how could I contribute? I >>>> could do some testing on CentOS 6/RHEL... >>>> >>>> Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks: >>>>> >>>>> On 2014-07-23 4:56, Christian Beer wrote: >>>>> > Hi I downloaded the Benchmark paper and tool a quick look. >>>>> > >>>>> > The question is what is to do? As I understand the document one has >>>>> to >>>>> > copy the script snippets from the audit sections into the CIS text >>>>> > files >>>>> > and annotate with some information, right? >>>>> > >>>>> > This seems to me like a copy&paste job and a pull request on github. >>>>> >>>>> It's a little more involved than that. The CIS checks are performed by >>>>> rootcheck and that has it's own synatx. It doesn't just execute >>>>> scripts. >>>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
