I've been trying to set up auditd for STIG compliance. I'm working with
RHEL 5.5 and RHEL4 with their latest default kernels (2.6.18-194 and
2.6.9-89.0.23) and audit packages (1.7.17-3.el5 and 1.0.16-4.el4_8.1),
though I'm just trying to get it working on a RHEL 5.5 machine to start.
The stig.rules sample file is helpful, but I'm having difficulty filling
in the missing parts (which I suppose is probably why they're missing). I
checked Google and the past two years of list archives, and didn't find
anything relevant (though I may have missed it). Specifically:
- Monitoring system startup and shutdown. I could monitor all the
relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
around these. I'm not sure how to accurately monitor startup at all.
- Use of print command (unsuccessful and successful). I tried modifying
the "Use of privileged commands" rule to monitor the command-line print
commands and cupsd, but this didn't catch printing via GUI apps through
CUPS, and I suspect there must be a better way anyhow. There are cupsd
audit entries, but these are from the permission change/deletion rules (I
did move the print rules above those, close to the top).
If I should just be monitoring these via another facility, that may also
work. I'm also pondering the best way to get the RHEL4 machines to send
their audit logs to a central server, as there seems to be no support for
audisp at all (unless I'm missing something).
Thanks,
--Ray