Re: question
On Monday 03 November 2008 12:21:23 David Flatley wrote:
I am actually using the suggested parameters from the STIG for UNIX
guide. I have searched and found the stig.rules on the internet and we are
going to try them. I also saw the nispom.rules but apparently they are
for Red hat 5 Kernel 2.6.25 it says in the file?
Yes, those rules use some recent kernel functionality in order to cover all
the requirements. Those recent kernel updates are in the RHEL5 kernels and
should work. They will take some re-engineeing to get working on RHEL4.
We are not using keying but will once we get the stig.rules
installed
they appear to be using the -k flag.
On RHEL4, you can only use keys on the file watches. RHEL5 you can use them on
both syscall and file watches.
We are using audit 1.0.15 and I see 1.0.16 is on the Red Hat
site, is
there a compelling reason to update to the
1.0.16 version of audit?.
The change log
1.0.16
- Update time handling for ausearch and aureport to add more keywords
- Fix the ausearch on keyword to tolerate records with no key (#402941)
- num_logs option wasn't working right on shifts (#325561)
- In auditd, resume logging on SIGUSR2 (#325561)
- ausearch needed update for escaped acct fields (#353241)
- Fix parsing filterkeys in fs_watch records
So, this has some fixups for using keys.
-Steve