Hi Santi, great, thanks for looking this up :)
for some reason it works now....surprising. maybe it takes some time after an inital run... I now have plenty of Outstanding events, great :))))) best, theresa Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett: > > Hi Theresa, > > have a look at this doc: > > > https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf > > I was also curious and found the explanation in page 5: > > Scored: > Failure to comply with "Scored" recommendations will decrease the final > benchmark score. Compliance with "Scored" recommendations will increase the > final benchmark score. > > Not Scored: > Failure to comply with "Not Scored" recommendations will not decrease the > final benchmark score. Compliance with "Not Scored" recommendations will > not increase the final benchmark score. > > > Regarding your other question, I am not sure why you don't have alerts, > are you sure you added the right config in ossec.conf? Something like > <system_audit>path_to_your_cis_rules</system_audit>, remember it needs to > be added for the agents. > > Best > > On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare <[email protected] > <javascript:>> wrote: > >> I just checked my ossec.conf I was surprised to find out that the >> rootcheck for CIS isn't even defined. >> but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx >> Santi :) >> >> when I called rootcheck_control I got the following return >> Resolved events: >> >> ** No entries found. >> >> Outstanding events: >> >> ** No entries found. >> >> >> is this possible? >> does this need to run a few times (more than once) in order to show >> anything? >> maybe it has to do that the rhel6 cis check seems a bit incomplete >> >> what does SCORED and NOT SCORED mean in the cis check? >> >> i find it hard to believe that my system passed all the tests... >> >> >> Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett: >>> >>> I think this is the latest version of those rules: >>> >>> >>> https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt >>> >>> On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare <[email protected] >>> > wrote: >>> >>>> also, I'd like to update this page to something more up-to-date (RHEL 6 >>>> / 7) once I understand how it works and what it does >>>> >>>> http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html >>>> >>>> reading into it right now... >>>> >>>> >>>> >>>> Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare: >>>>> >>>>> hi folks, >>>>> >>>>> i just found this interesting thread. >>>>> wanted to ask, is there any update with this? how could I contribute? >>>>> I could do some testing on CentOS 6/RHEL... >>>>> >>>>> Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks: >>>>>> >>>>>> On 2014-07-23 4:56, Christian Beer wrote: >>>>>> > Hi I downloaded the Benchmark paper and tool a quick look. >>>>>> > >>>>>> > The question is what is to do? As I understand the document one has >>>>>> to >>>>>> > copy the script snippets from the audit sections into the CIS text >>>>>> > files >>>>>> > and annotate with some information, right? >>>>>> > >>>>>> > This seems to me like a copy&paste job and a pull request on >>>>>> github. >>>>>> >>>>>> It's a little more involved than that. The CIS checks are performed >>>>>> by >>>>>> rootcheck and that has it's own synatx. It doesn't just execute >>>>>> scripts. >>>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
