My audit.rules file is full of checks like this to satisfy the STIG. -----Original Message----- From: Trevor Vaughan [mailto:[email protected]] Sent: Friday, January 5, 2018 10:17 AM To: SCAP Security Guide <[email protected]> Subject: [Non-DoD Source] Re: audit_rules_file_deletion_events
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser. ________________________________ Note: That particular rule will absolutely destroy any system running HDFS. On Fri, Jan 5, 2018 at 12:00 PM, Paige, David B CTR USARMY ICOE (US) <[email protected] < Caution-mailto:[email protected] > > wrote: This check and some related ones require auditing for all users and root. The suggested line includes these elements: -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -k delete Should this check include "-F auid=0" to properly audit the root user? _______________________________________________ scap-security-guide mailing list -- [email protected] < Caution-mailto:[email protected] > To unsubscribe send an email to [email protected] < Caution-mailto:[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
