Re: stig.rules
On Tuesday 06 April 2010 04:14:32 pm rshaw1(a)umbc.edu wrote:
- Monitoring system startup and shutdown. I could monitor all the
relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
around these. I'm not sure how to accurately monitor startup at all.
Init is the only thing that knows the system is changing states. Upstart was
patched to handle this requirement but the older SysVinit package has not been
patched. You should be able to watch some of the apps in the init package to
see what is happening. It won't be as nice as the upstart based solution, but
will log the event.
- Use of print command (unsuccessful and successful). I tried
modifying
the "Use of privileged commands" rule to monitor the command-line print
commands and cupsd, but this didn't catch printing via GUI apps through
CUPS, and I suspect there must be a better way anyhow. There are cupsd
audit entries, but these are from the permission change/deletion rules (I
did move the print rules above those, close to the top).
Support for auditing anything on the desktop is not really functional. Dbus
has no way of changing the auid correctly and everything passing through it
would be attributed to root. The best way to straighten this all out would be
getting the desktop through a Common Criteria certification so that all this
would get addressed, but there has never been enough interest to do this.
If I should just be monitoring these via another facility, that may
also
work. I'm also pondering the best way to get the RHEL4 machines to send
their audit logs to a central server, as there seems to be no support for
audisp at all (unless I'm missing something).
RHEL4 won't be getting any updates to support this as far as I know. I have no
experience with any other solutions to be able to recommend any of them.
-Steve