[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: configure CIS benchmark auditing
From: "Aaron Bliss" <aaron.bliss () gmail ! com>
Date: 2008-10-29 14:04:13
Message-ID: 20a8c0f30810290704s23f90c9ak6afc8755a3f427c0 () mail ! gmail ! com
[Download RAW message or body]
Hi all. I have a couple of more questions on enabling CIS auditing.
Specifically, would it be possible to add support by default to the audit
files for CentOS? I've verified that CentOS 5 works great against the
cis_rhel5_linux_rcl.txt audit file. I'll be verfiying other versions of
CentOS as well. Also, I got the cis_rhel5_linux_rcl.txt audit file to work
against a box running CentOS 5.2. Contents of /etc/red-release are:
CentOS release 5.2 (Final)
I added the following line to the cis_rhel5_linux_rcl.txt audit file to get
the auditing to work:
f:/etc/redhat-release -> =:CentOS release 5.2 (Final)
But I couldn't figure out the syntax to make regular expressions to work, to
take into account .x OS upgrades. Can someone post what should be the
comprible line for CentOS to this:
r:^Red Hat Enterprise Linux \S+ release 5;
Thanks again.
Aaron
On Tue, Oct 28, 2008 at 4:55 PM, Aaron Bliss <aaron.bliss@gmail.com> wrote:
> Daniel,
> That was it. Server and client were upgraded from earlier releases. CIS
> auditing now working. Thanks for your help.
>
> Aaron
>
>
> On Tue, Oct 28, 2008 at 3:18 PM, Daniel Cid <daniel.cid@gmail.com> wrote:
>
>>
>> Hi Aaron,
>>
>> These are enabled by default if you did a fresh install of 1.6/1.6.1.
>> If you run the rootcheck_control tool
>> you will be able to see what has been reported. If you want to receive
>> email alerts on these, follow
>> the instructions on that link to create a custom rule.
>>
>> If you upgraded from 1.5 or below, you need to add the CIS files to
>> your rootcheck config. Ex:
>>
>> <rootcheck>
>> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
>>
>> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
>> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
>> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
>> </rootcheck>
>>
>> Hope it helps.
>>
>> --
>> Daniel B. Cid
>> dcid ( at ) ossec.net
>>
>> On Sat, Oct 25, 2008 at 10:30 AM, Aaron Bliss <aaron.bliss@gmail.com>
>> wrote:
>> > Hi all,
>> > I'm running version 1.6.1. I'm looking for documentation on how to
>> enable
>> > CIS benchmark auditing on the server and clients. I cam across this
>> link in
>> > the wiki, but I didn't see any documentation on configuring/enabling the
>> > auditing policy or rules. Thanks.
>> >
>> > Aaron
>> >
>> > http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy
>> >
>>
>
>
[Attachment #3 (text/html)]
<div dir="ltr">Hi all. I have a couple of more questions on enabling CIS \
auditing. Specifically, would it be possible to add support by default to the \
audit files for CentOS? I've verified that CentOS 5 works great against the \
cis_rhel5_linux_rcl.txt audit file. I'll be verfiying other versions of \
CentOS as well. Also, I got the cis_rhel5_linux_rcl.txt audit file to work \
against a box running CentOS 5.2. Contents of /etc/red-release are:<br> CentOS \
release 5.2 (Final)<br><br>I added the following line to the cis_rhel5_linux_rcl.txt \
audit file to get the auditing to work:<br>f:/etc/redhat-release -> =:CentOS \
release 5.2 (Final)<br><br>But I couldn't figure out the syntax to make regular \
expressions to work, to take into account .x OS upgrades. Can someone post what \
should be the comprible line for CentOS to this:<br> r:^Red Hat Enterprise Linux \S+ \
release 5;<br><br>Thanks again.<br><br>Aaron<br><br><div class="gmail_quote">On Tue, \
Oct 28, 2008 at 4:55 PM, Aaron Bliss <span dir="ltr"><<a \
href="mailto:aaron.bliss@gmail.com">aaron.bliss@gmail.com</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr">Daniel,<br>That was \
it. Server and client were upgraded from earlier releases. CIS auditing \
now working. Thanks for your help.<br> <font \
color="#888888"><br>Aaron</font><div><div></div><div class="Wj3C7c"><br><br><div \
class="gmail_quote">On Tue, Oct 28, 2008 at 3:18 PM, Daniel Cid <span \
dir="ltr"><<a href="mailto:daniel.cid@gmail.com" \
target="_blank">daniel.cid@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br> Hi Aaron,<br>
<br>
These are enabled by default if you did a fresh install of 1.6/<a \
href="http://1.6.1." target="_blank">1.6.1.</a><br> If you run the rootcheck_control \
tool<br> you will be able to see what has been reported. If you want to receive<br>
email alerts on these, follow<br>
the instructions on that link to create a custom rule.<br>
<br>
If you upgraded from 1.5 or below, you need to add the CIS files to<br>
your rootcheck config. Ex:<br>
<br>
<rootcheck><br>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit><br>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit><br>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit><br>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit><br>
</rootcheck><br>
<br>
Hope it helps.<br>
<font color="#888888"><br>
--<br>
Daniel B. Cid<br>
dcid ( at ) <a href="http://ossec.net" target="_blank">ossec.net</a><br>
</font><div><div></div><div><br>
On Sat, Oct 25, 2008 at 10:30 AM, Aaron Bliss <<a \
href="mailto:aaron.bliss@gmail.com" target="_blank">aaron.bliss@gmail.com</a>> \
wrote:<br> > Hi all,<br>
> I'm running version <a href="http://1.6.1." target="_blank">1.6.1.</a> \
I'm looking for documentation on how to enable<br> > CIS benchmark \
auditing on the server and clients. I cam across this link in<br> > the \
wiki, but I didn't see any documentation on configuring/enabling the<br> > \
auditing policy or rules. Thanks.<br> ><br>
> Aaron<br>
><br>
> <a href="http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy" \
target="_blank">http://www.ossec.net/wiki/index.php/Know_How:UnixPolicy</a><br> \
><br> </div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic