'[ossec-list] Re: configure CIS benchmark auditing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] Re: configure CIS benchmark auditing
From:       "Aaron Bliss" <aaron.bliss () gmail ! com>
Date:       2008-10-29 14:04:13
Message-ID: 20a8c0f30810290704s23f90c9ak6afc8755a3f427c0 () mail ! gmail ! com
[Download RAW message or body]

Hi all.  I have a couple of more questions on enabling CIS auditing.
Specifically, would it be possible to add support by default to the audit
files for CentOS?  I've verified that CentOS 5 works great against the
cis_rhel5_linux_rcl.txt audit file.  I'll be verfiying other versions of
CentOS as well.  Also, I got the cis_rhel5_linux_rcl.txt audit file to work
against a box running CentOS 5.2.  Contents of /etc/red-release are:
CentOS release 5.2 (Final)

I added the following line to the cis_rhel5_linux_rcl.txt audit file to get
the auditing to work:
f:/etc/redhat-release -> =:CentOS release 5.2 (Final)

But I couldn't figure out the syntax to make regular expressions to work, to
take into account .x OS upgrades.  Can someone post what should be the
comprible line for CentOS to this:
r:^Red Hat Enterprise Linux \S+ release 5;

Thanks again.

Aaron

On Tue, Oct 28, 2008 at 4:55 PM, Aaron Bliss <aaron.bliss@gmail.com> wrote:

> Daniel,
> That was it.  Server and client were upgraded from earlier releases.  CIS
> auditing now working.  Thanks for your help.
>
> Aaron
>
>
> On Tue, Oct 28, 2008 at 3:18 PM, Daniel Cid <daniel.cid@gmail.com> wrote:
>
>>
>> Hi Aaron,
>>
>> These are enabled by default if you did a fresh install of 1.6/1.6.1.
>> If you run the rootcheck_control tool
>> you will be able to see what has been reported. If you want to receive
>> email alerts on these, follow
>> the instructions on that link to create a custom rule.
>>
>> If you upgraded from 1.5 or below, you need to add the CIS files to
>> your rootcheck config. Ex:
>>
>> <rootcheck>
>> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
>>
>> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
>> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
>> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
>> </rootcheck>
>>
>> Hope it helps.
>>
>> --
>> Daniel B. Cid
>> dcid ( at ) ossec.net
>>
>> On Sat, Oct 25, 2008 at 10:30 AM, Aaron Bliss <aaron.bliss@gmail.com>
>> wrote:
>> > Hi all,
>> > I'm running version 1.6.1.  I'm looking for documentation on how to
>> enable
>> > CIS benchmark auditing on the server and clients.  I cam across this
>> link in
>> > the wiki, but I didn't see any documentation on configuring/enabling the
>> > auditing policy or rules.  Thanks.
>> >
>> > Aaron
>> >
>> > http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy
>> >
>>
>
>

[Attachment #3 (text/html)]

<div dir="ltr">Hi all.&nbsp; I have a couple of more questions on enabling CIS \
auditing.&nbsp; Specifically, would it be possible to add support by default to the \
audit files for CentOS?&nbsp; I&#39;ve verified that CentOS 5 works great against the \
cis_rhel5_linux_rcl.txt audit file.&nbsp; I&#39;ll be verfiying other versions of \
CentOS as well.&nbsp; Also, I got the cis_rhel5_linux_rcl.txt audit file to work \
against a box running CentOS 5.2.&nbsp; Contents of /etc/red-release are:<br> CentOS \
release 5.2 (Final)<br><br>I added the following line to the cis_rhel5_linux_rcl.txt \
audit file to get the auditing to work:<br>f:/etc/redhat-release -&gt; =:CentOS \
release 5.2 (Final)<br><br>But I couldn&#39;t figure out the syntax to make regular \
expressions to work, to take into account .x OS upgrades.&nbsp; Can someone post what \
should be the comprible line for CentOS to this:<br> r:^Red Hat Enterprise Linux \S+ \
release 5;<br><br>Thanks again.<br><br>Aaron<br><br><div class="gmail_quote">On Tue, \
Oct 28, 2008 at 4:55 PM, Aaron Bliss <span dir="ltr">&lt;<a \
href="mailto:aaron.bliss@gmail.com">aaron.bliss@gmail.com</a>&gt;</span> wrote:<br> \
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr">Daniel,<br>That was \
it.&nbsp; Server and client were upgraded from earlier releases.&nbsp; CIS auditing \
now working.&nbsp; Thanks for your help.<br> <font \
color="#888888"><br>Aaron</font><div><div></div><div class="Wj3C7c"><br><br><div \
class="gmail_quote">On Tue, Oct 28, 2008 at 3:18 PM, Daniel Cid <span \
dir="ltr">&lt;<a href="mailto:daniel.cid@gmail.com" \
target="_blank">daniel.cid@gmail.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br> Hi Aaron,<br>
<br>
These are enabled by default if you did a fresh install of 1.6/<a \
href="http://1.6.1." target="_blank">1.6.1.</a><br> If you run the rootcheck_control \
tool<br> you will be able to see what has been reported. If you want to receive<br>
email alerts on these, follow<br>
the instructions on that link to create a custom rule.<br>
<br>
If you upgraded from 1.5 or below, you need to add the CIS files to<br>
your rootcheck config. Ex:<br>
<br>
&lt;rootcheck&gt;<br>
&lt;system_audit&gt;/var/ossec/etc/shared/system_audit_rcl.txt&lt;/system_audit&gt;<br>
 &lt;system_audit&gt;/var/ossec/etc/shared/cis_debian_linux_rcl.txt&lt;/system_audit&gt;<br>
 &lt;system_audit&gt;/var/ossec/etc/shared/cis_rhel_linux_rcl.txt&lt;/system_audit&gt;<br>
 &lt;system_audit&gt;/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt&lt;/system_audit&gt;<br>
 &lt;/rootcheck&gt;<br>
<br>
Hope it helps.<br>
<font color="#888888"><br>
--<br>
Daniel B. Cid<br>
dcid ( at ) <a href="http://ossec.net" target="_blank">ossec.net</a><br>
</font><div><div></div><div><br>
On Sat, Oct 25, 2008 at 10:30 AM, Aaron Bliss &lt;<a \
href="mailto:aaron.bliss@gmail.com" target="_blank">aaron.bliss@gmail.com</a>&gt; \
wrote:<br> &gt; Hi all,<br>
&gt; I&#39;m running version <a href="http://1.6.1." target="_blank">1.6.1.</a> \
&nbsp;I&#39;m looking for documentation on how to enable<br> &gt; CIS benchmark \
auditing on the server and clients. &nbsp;I cam across this link in<br> &gt; the \
wiki, but I didn&#39;t see any documentation on configuring/enabling the<br> &gt; \
auditing policy or rules. &nbsp;Thanks.<br> &gt;<br>
&gt; Aaron<br>
&gt;<br>
&gt; <a href="http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy" \
target="_blank">http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy</a><br> \
&gt;<br> </div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic