Personally, I'm massively opposed to '-e 2'. I really like the ability to audit new things as I add them without rebooting my systems.
Trevor On Fri, Oct 4, 2013 at 8:06 AM, Josh Kayse <joshua.ka...@gtri.gatech.edu>wrote: > On 10/04/2013 07:40 AM, Trevor Vaughan wrote: > >> Is Augeas an option? >> >> This seems like the perfect opportunity to solidify the Augeas lenses >> regarding security settings while making life easier for everyone. >> >> Trevor >> >> >> On Thu, Oct 3, 2013 at 9:42 PM, Shawn Wells <sh...@redhat.com >> <mailto:sh...@redhat.com>> wrote: >> >> On 10/3/13 3:11 PM, fcavi...@redhat.com <mailto:fcavi...@redhat.com> >> wrote: >> >>> All, >>> >>> As a starting point for writing remediation fixes in the SSG - so, >>> I did the following: >>> >>> $ ls ~//scap-security-guide/RHEL6/**input/checks//*.xml | awk '{ >>> >>> print $1 }' | sed s/\.[^\.]*$// > ~/checks >>> $ ls ~//scap-security-guide/RHEL6/**input/fixes//*.sh | awk '{ >>> >>> print $1 }' | sed s/\.[^\.]*$// > ~/fixes >>> $ sdiff ~/fixes ~/checks | less >>> >>> There's fair a bit of work to be done for the fix remediations... >>> >>> Since I'm new to the project, I was wondering if there was any >>> ideas or standards to how the SSG should distribute some of these >>> fixes - for example - a wholesale replacement of the audit.rules >>> and auditd.conf might be preferable than doing piecemeal sed's. >>> >> >> It'd be omgz easier to `cp /usr/share/doc/audit-*/stig.**rules >> /etc/audit.rules`, and that likely is the right choice during an >> initial provisioning process. But then SysAdmins tailor audit rules, >> the system evolves, and we need to evaluate the audit.rules file >> against specific auditing guidance items after the pristine >> audit.rules template is manipulated. >> >> So, if a single rule must be remediated, we can't blow away the >> whole audit.rules file. Super fun sed scripts it is =/ >> >> <snip> >> > > I think that augeas is a good idea. We need to be careful that rules that > are inserted in to audit.rules happen before any '-e 2' line (if one > exists). Otherwise they will fail to be inserted because the audit rules > become locked. > > -josh > > -- > 404.407.6630 > > > _______________________________________________ > scap-security-guide mailing list > scap-security-guide@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
