Hi again, I don't quite understand how these checks work. Rootcheck complains about the following checks:
2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47) System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to enforcing . File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . 2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47) System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux policy not set to targeted. File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 It's perfectly clear what is meant by it, but for the sake of it, I will post what's in the CIS file as well: # 1.4.2 Set selinux state [CIS - RHEL6 1.4.2 - SELinux not set to enforcing] [any] [http: //www.ossec.net/wiki/index.php/CIS_RHEL6] f:/etc/selinux/config -> r:SELINUX=enforcing; # 1.4.3 Set seliux policy [CIS - RHEL6 1.4.2 - SELinux policy not set to targeted] [any] [http: //www.ossec.net/wiki/index.php/CIS_RHEL6] f:/etc/selinux/config -> r:SELINUXTYPE=targeted; meaning I have to check the SELinux config, here we go: SELINUX=enforcing SELINUXTYPE=targeted Sorry, but what I'm doing wrong here...I don't understand it. Other checks are not being "acknowledge" either... # Controls source route validation net.ipv4.conf.all.accept_source_route = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 1 # Controls ICMP secure redirects net.ipv4.conf.all.accept_redirects = 1 # Log packets with impossible addresses to kernel log? yes net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.lo.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 does this look OK to you?! anyone had any experience? thanks, theresa Am Montag, 27. Juli 2015 17:01:12 UTC+2 schrieb theresa mic-snare: > > Hi all, > > since > https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt > > seems a bit incomplete, I'd start to complete it. > lots of important checks are still tagged as "to do" > > please let me know if anyone is already working on the RHEL6 checks or has > it even completed. > I'd like to avoid that I work on something that someone else has already > completed/or is still working on. > > so please let me know! > > i'd contribute the complete file then as a pull request on github. > > thanks, > theresa > > Am Montag, 27. Juli 2015 08:46:26 UTC+2 schrieb theresa mic-snare: >> >> Hi Santi, >> >> great, thanks for looking this up :) >> >> for some reason it works now....surprising. >> maybe it takes some time after an inital run... >> >> I now have plenty of Outstanding events, great :))))) >> >> best, >> theresa >> >> Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett: >>> >>> Hi Theresa, >>> >>> have a look at this doc: >>> >>> >>> https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf >>> >>> I was also curious and found the explanation in page 5: >>> >>> Scored: >>> Failure to comply with "Scored" recommendations will decrease the final >>> benchmark score. Compliance with "Scored" recommendations will increase the >>> final benchmark score. >>> >>> Not Scored: >>> Failure to comply with "Not Scored" recommendations will not decrease >>> the final benchmark score. Compliance with "Not Scored" recommendations >>> will not increase the final benchmark score. >>> >>> >>> Regarding your other question, I am not sure why you don't have alerts, >>> are you sure you added the right config in ossec.conf? Something like >>> <system_audit>path_to_your_cis_rules</system_audit>, remember it needs to >>> be added for the agents. >>> >>> Best >>> >>> On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare <[email protected]> >>> wrote: >>> >>>> I just checked my ossec.conf I was surprised to find out that the >>>> rootcheck for CIS isn't even defined. >>>> but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, >>>> thx Santi :) >>>> >>>> when I called rootcheck_control I got the following return >>>> Resolved events: >>>> >>>> ** No entries found. >>>> >>>> Outstanding events: >>>> >>>> ** No entries found. >>>> >>>> >>>> is this possible? >>>> does this need to run a few times (more than once) in order to show >>>> anything? >>>> maybe it has to do that the rhel6 cis check seems a bit incomplete >>>> >>>> what does SCORED and NOT SCORED mean in the cis check? >>>> >>>> i find it hard to believe that my system passed all the tests... >>>> >>>> >>>> Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett: >>>>> >>>>> I think this is the latest version of those rules: >>>>> >>>>> >>>>> https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt >>>>> >>>>> On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare < >>>>> [email protected]> wrote: >>>>> >>>>>> also, I'd like to update this page to something more up-to-date (RHEL >>>>>> 6 / 7) once I understand how it works and what it does >>>>>> >>>>>> http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html >>>>>> >>>>>> reading into it right now... >>>>>> >>>>>> >>>>>> >>>>>> Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare: >>>>>>> >>>>>>> hi folks, >>>>>>> >>>>>>> i just found this interesting thread. >>>>>>> wanted to ask, is there any update with this? how could I >>>>>>> contribute? I could do some testing on CentOS 6/RHEL... >>>>>>> >>>>>>> Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks: >>>>>>>> >>>>>>>> On 2014-07-23 4:56, Christian Beer wrote: >>>>>>>> > Hi I downloaded the Benchmark paper and tool a quick look. >>>>>>>> > >>>>>>>> > The question is what is to do? As I understand the document one >>>>>>>> has to >>>>>>>> > copy the script snippets from the audit sections into the CIS >>>>>>>> text >>>>>>>> > files >>>>>>>> > and annotate with some information, right? >>>>>>>> > >>>>>>>> > This seems to me like a copy&paste job and a pull request on >>>>>>>> github. >>>>>>>> >>>>>>>> It's a little more involved than that. The CIS checks are performed >>>>>>>> by >>>>>>>> rootcheck and that has it's own synatx. It doesn't just execute >>>>>>>> scripts. >>>>>>>> >>>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
