From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Jasen Subject: Re: CIS and audit rules Date: Wed, 2 Sep 2015 19:01:50 -0400 Message-ID: <55E77FDE.6020803@gmail.com> References: <23396023F719ED41888885C3B22D602F03714E@WPEXCH2010MR11.bur.hydro.qc.ca> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6595344793284694338==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t82N1sxL022195 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 2 Sep 2015 19:01:54 -0400 Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) by mx1.redhat.com (Postfix) with ESMTPS id F311AAED28 for ; Wed, 2 Sep 2015 23:01:52 +0000 (UTC) Received: by qkcj187 with SMTP id j187so14337531qkc.2 for ; Wed, 02 Sep 2015 16:01:52 -0700 (PDT) Received: from [10.0.0.230] (pool-71-244-242-131.bltmmd.fios.verizon.net. [71.244.242.131]) by smtp.googlemail.com with ESMTPSA id j13sm1825242qge.27.2015.09.02.16.01.50 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Sep 2015 16:01:51 -0700 (PDT) In-Reply-To: <23396023F719ED41888885C3B22D602F03714E@WPEXCH2010MR11.bur.hydro.qc.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============6595344793284694338== Content-Type: multipart/alternative; boundary="------------020503010101060700080406" This is a multi-part message in MIME format. --------------020503010101060700080406 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit I've been testing a variant of the CIS benchmarks, supplemented (for compliance reasons) by the NIST USGCB baselines. I've also been testing auditd with setuid/setgid binaries. Also as a potential replacement for aide (again, mostly compliance reasons). Your use of auditd rules depends a lot on your drivers for doing so, and your desired results. On 08/28/2015 04:12 PM, Alarie, Maxime wrote: > > > > Anyone ever implemented auditd by following the CIS standards > described here? > https://benchmarks.cisecurity.org/downloads/show-single/?file=suse11.110 > > > > Is it too restrictive? Not enough? Too much ressources consuming? I > would like some comments/opinions if possible. > > > > > > Many thanks. > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit --------------020503010101060700080406 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx6-phx2.redhat.com id t82N1t2c028288 I've been testing a variant of the CIS benchmarks, supplemented (for compliance reasons) by the NIST USGCB baselines.

I've also been testing auditd with setuid/setgid binaries.

Also as a potential replacement for aide (again, mostly compliance reasons).

Your use of auditd rules depends a lot on your drivers for doing so, and your desired results.


On 08/28/2015 04:12 PM, Alarie, Maxime wrote:

=A0

Anyone ever implement= ed auditd=A0 by following the CIS standards described here? =A0<= a moz-do-not-send=3D"true" href=3D"https://benchmarks.cisecurity.org/downloads/show-single/?file=3Ds= use11.110">https://benchmar= ks.cisecurity.org/downloads/show-single/?file=3Dsuse11.110

=A0=

Is it too restrictive= ?=A0 Not enough? =A0Too much ressources consuming?=A0 I would like some comments/opinions if possible.

=A0=

=A0=

Many thanks.



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audi=
t

--------------020503010101060700080406-- --===============6595344793284694338== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 7bit --===============6595344793284694338==--