Yes, looks like those rule should have an "!" I think it would make sense rules like this instead:
# 1.4.2 Set selinux state [CIS - RHEL6 1.4.2 - SELinux not set to enforcing] [any] [http:// www.ossec.net/wiki/index.php/CIS_RHEL6] f:/etc/selinux/config -> !r:SELINUX=enforcing; # 1.4.3 Set seliux policy [CIS - RHEL6 1.4.2 - SELinux policy not set to targeted] [any] [http:// www.ossec.net/wiki/index.php/CIS_RHEL6] f:/etc/selinux/config -> !r:SELINUXTYPE=targeted; Regarding the other checks I am not sure what you mean. What is the problem there? Santiago. On Tue, Jul 28, 2015 at 12:14 PM, theresa mic-snare <[email protected]> wrote: > Hi again, > > I don't quite understand how these checks work. > Rootcheck complains about the following checks: > > 2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47) > System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to > enforcing. File: /etc/selinux/config. Reference: http:// > www.ossec.net/wiki/index.php/CIS_RHEL6 . > > 2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47) > System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux policy not set to > targeted. File: /etc/selinux/config. Reference: http:// > www.ossec.net/wiki/index.php/CIS_RHEL6 > > It's perfectly clear what is meant by it, but for the sake of it, I will > post what's in the CIS file as well: > > # 1.4.2 Set selinux state > [CIS - RHEL6 1.4.2 - SELinux not set to enforcing] [any] [http:// > www.ossec.net/wiki/index.php/CIS_RHEL6] > f:/etc/selinux/config -> r:SELINUX=enforcing; > > # 1.4.3 Set seliux policy > [CIS - RHEL6 1.4.2 - SELinux policy not set to targeted] [any] [http:// > www.ossec.net/wiki/index.php/CIS_RHEL6] > f:/etc/selinux/config -> r:SELINUXTYPE=targeted; > > meaning I have to check the SELinux config, here we go: > > SELINUX=enforcing > SELINUXTYPE=targeted > > Sorry, but what I'm doing wrong here...I don't understand it. > > Other checks are not being "acknowledge" either... > > # Controls source route validation > net.ipv4.conf.all.accept_source_route = 1 > > # Do not accept source routing > net.ipv4.conf.default.accept_source_route = 1 > > # Controls ICMP secure redirects > net.ipv4.conf.all.accept_redirects = 1 > > # Log packets with impossible addresses to kernel log? yes > net.ipv4.conf.all.log_martians = 1 > net.ipv4.conf.default.log_martians = 1 > net.ipv4.conf.lo.log_martians = 1 > net.ipv4.conf.eth0.log_martians = 1 > > does this look OK to you?! > anyone had any experience? > > thanks, > theresa > > > Am Montag, 27. Juli 2015 17:01:12 UTC+2 schrieb theresa mic-snare: >> >> Hi all, >> >> since >> https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt >> seems a bit incomplete, I'd start to complete it. >> lots of important checks are still tagged as "to do" >> >> please let me know if anyone is already working on the RHEL6 checks or >> has it even completed. >> I'd like to avoid that I work on something that someone else has already >> completed/or is still working on. >> >> so please let me know! >> >> i'd contribute the complete file then as a pull request on github. >> >> thanks, >> theresa >> >> Am Montag, 27. Juli 2015 08:46:26 UTC+2 schrieb theresa mic-snare: >>> >>> Hi Santi, >>> >>> great, thanks for looking this up :) >>> >>> for some reason it works now....surprising. >>> maybe it takes some time after an inital run... >>> >>> I now have plenty of Outstanding events, great :))))) >>> >>> best, >>> theresa >>> >>> Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett: >>>> >>>> Hi Theresa, >>>> >>>> have a look at this doc: >>>> >>>> >>>> https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf >>>> >>>> I was also curious and found the explanation in page 5: >>>> >>>> Scored: >>>> Failure to comply with "Scored" recommendations will decrease the final >>>> benchmark score. Compliance with "Scored" recommendations will increase the >>>> final benchmark score. >>>> >>>> Not Scored: >>>> Failure to comply with "Not Scored" recommendations will not decrease >>>> the final benchmark score. Compliance with "Not Scored" recommendations >>>> will not increase the final benchmark score. >>>> >>>> >>>> Regarding your other question, I am not sure why you don't have alerts, >>>> are you sure you added the right config in ossec.conf? Something like >>>> <system_audit>path_to_your_cis_rules</system_audit>, remember it needs to >>>> be added for the agents. >>>> >>>> Best >>>> >>>> On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare <[email protected] >>>> > wrote: >>>> >>>>> I just checked my ossec.conf I was surprised to find out that the >>>>> rootcheck for CIS isn't even defined. >>>>> but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, >>>>> thx Santi :) >>>>> >>>>> when I called rootcheck_control I got the following return >>>>> Resolved events: >>>>> >>>>> ** No entries found. >>>>> >>>>> Outstanding events: >>>>> >>>>> ** No entries found. >>>>> >>>>> >>>>> is this possible? >>>>> does this need to run a few times (more than once) in order to show >>>>> anything? >>>>> maybe it has to do that the rhel6 cis check seems a bit incomplete >>>>> >>>>> what does SCORED and NOT SCORED mean in the cis check? >>>>> >>>>> i find it hard to believe that my system passed all the tests... >>>>> >>>>> >>>>> Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett: >>>>>> >>>>>> I think this is the latest version of those rules: >>>>>> >>>>>> >>>>>> https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt >>>>>> >>>>>> On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> also, I'd like to update this page to something more up-to-date >>>>>>> (RHEL 6 / 7) once I understand how it works and what it does >>>>>>> >>>>>>> http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html >>>>>>> >>>>>>> reading into it right now... >>>>>>> >>>>>>> >>>>>>> >>>>>>> Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare: >>>>>>>> >>>>>>>> hi folks, >>>>>>>> >>>>>>>> i just found this interesting thread. >>>>>>>> wanted to ask, is there any update with this? how could I >>>>>>>> contribute? I could do some testing on CentOS 6/RHEL... >>>>>>>> >>>>>>>> Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks: >>>>>>>>> >>>>>>>>> On 2014-07-23 4:56, Christian Beer wrote: >>>>>>>>> > Hi I downloaded the Benchmark paper and tool a quick look. >>>>>>>>> > >>>>>>>>> > The question is what is to do? As I understand the document one >>>>>>>>> has to >>>>>>>>> > copy the script snippets from the audit sections into the CIS >>>>>>>>> text >>>>>>>>> > files >>>>>>>>> > and annotate with some information, right? >>>>>>>>> > >>>>>>>>> > This seems to me like a copy&paste job and a pull request on >>>>>>>>> github. >>>>>>>>> >>>>>>>>> It's a little more involved than that. The CIS checks are >>>>>>>>> performed by >>>>>>>>> rootcheck and that has it's own synatx. It doesn't just execute >>>>>>>>> scripts. >>>>>>>>> >>>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
