Hi all, since https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt seems a bit incomplete, I'd start to complete it. lots of important checks are still tagged as "to do"
please let me know if anyone is already working on the RHEL6 checks or has it even completed. I'd like to avoid that I work on something that someone else has already completed/or is still working on. so please let me know! i'd contribute the complete file then as a pull request on github. thanks, theresa Am Montag, 27. Juli 2015 08:46:26 UTC+2 schrieb theresa mic-snare: > > Hi Santi, > > great, thanks for looking this up :) > > for some reason it works now....surprising. > maybe it takes some time after an inital run... > > I now have plenty of Outstanding events, great :))))) > > best, > theresa > > Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett: >> >> Hi Theresa, >> >> have a look at this doc: >> >> >> https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf >> >> I was also curious and found the explanation in page 5: >> >> Scored: >> Failure to comply with "Scored" recommendations will decrease the final >> benchmark score. Compliance with "Scored" recommendations will increase the >> final benchmark score. >> >> Not Scored: >> Failure to comply with "Not Scored" recommendations will not decrease the >> final benchmark score. Compliance with "Not Scored" recommendations will >> not increase the final benchmark score. >> >> >> Regarding your other question, I am not sure why you don't have alerts, >> are you sure you added the right config in ossec.conf? Something like >> <system_audit>path_to_your_cis_rules</system_audit>, remember it needs to >> be added for the agents. >> >> Best >> >> On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare <[email protected]> >> wrote: >> >>> I just checked my ossec.conf I was surprised to find out that the >>> rootcheck for CIS isn't even defined. >>> but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx >>> Santi :) >>> >>> when I called rootcheck_control I got the following return >>> Resolved events: >>> >>> ** No entries found. >>> >>> Outstanding events: >>> >>> ** No entries found. >>> >>> >>> is this possible? >>> does this need to run a few times (more than once) in order to show >>> anything? >>> maybe it has to do that the rhel6 cis check seems a bit incomplete >>> >>> what does SCORED and NOT SCORED mean in the cis check? >>> >>> i find it hard to believe that my system passed all the tests... >>> >>> >>> Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett: >>>> >>>> I think this is the latest version of those rules: >>>> >>>> >>>> https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt >>>> >>>> On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare < >>>> [email protected]> wrote: >>>> >>>>> also, I'd like to update this page to something more up-to-date (RHEL >>>>> 6 / 7) once I understand how it works and what it does >>>>> >>>>> http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html >>>>> >>>>> reading into it right now... >>>>> >>>>> >>>>> >>>>> Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare: >>>>>> >>>>>> hi folks, >>>>>> >>>>>> i just found this interesting thread. >>>>>> wanted to ask, is there any update with this? how could I contribute? >>>>>> I could do some testing on CentOS 6/RHEL... >>>>>> >>>>>> Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks: >>>>>>> >>>>>>> On 2014-07-23 4:56, Christian Beer wrote: >>>>>>> > Hi I downloaded the Benchmark paper and tool a quick look. >>>>>>> > >>>>>>> > The question is what is to do? As I understand the document one >>>>>>> has to >>>>>>> > copy the script snippets from the audit sections into the CIS text >>>>>>> > files >>>>>>> > and annotate with some information, right? >>>>>>> > >>>>>>> > This seems to me like a copy&paste job and a pull request on >>>>>>> github. >>>>>>> >>>>>>> It's a little more involved than that. The CIS checks are performed >>>>>>> by >>>>>>> rootcheck and that has it's own synatx. It doesn't just execute >>>>>>> scripts. >>>>>>> >>>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
