From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Alarie, Maxime" Subject: CIS and audit rules Date: Fri, 28 Aug 2015 20:12:33 +0000 Message-ID: <23396023F719ED41888885C3B22D602F03714E@WPEXCH2010MR11.bur.hydro.qc.ca> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1129561287215002202==" Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t7SKCbw2024856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 28 Aug 2015 16:12:37 -0400 Received: from drago.zerospam.ca (drago.zerospam.ca [209.172.38.83]) by mx1.redhat.com (Postfix) with ESMTPS id 166CE15774E for ; Fri, 28 Aug 2015 20:12:35 +0000 (UTC) Received: from drago.zerospam.ca (localhost [127.0.0.1]) by drago.zerospam.ca (Postfix) with ESMTP id 3n2sXy3k6Qz2yTc for ; Fri, 28 Aug 2015 16:12:34 -0400 (EDT) Received: from smtp10.hydro.qc.ca (smtp10.hydro.qc.ca [199.22.56.220]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by drago.zerospam.ca (Postfix) with ESMTPS id 3n2sXy0rNnz2yTC for ; Fri, 28 Aug 2015 16:12:34 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by smtp10.hydro.qc.ca (Postfix) with ESMTP id F116612003 for ; Fri, 28 Aug 2015 16:12:33 -0400 (EDT) Received: from smtp10.hydro.qc.ca ([10.16.56.109]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iilfmI74tbIJ for ; Fri, 28 Aug 2015 16:12:33 -0400 (EDT) Received: from smtp11-sortant.hydro.qc.ca (smtp11-sortant.dmz.hydro.qc.ca [10.16.56.79]) by smtp10.hydro.qc.ca (Postfix) with ESMTPS id D745112002 for ; Fri, 28 Aug 2015 16:12:33 -0400 (EDT) Received: from WPEXCH2010MR22.bur.hydro.qc.ca (wpexch2010mr22.bur.hydro.qc.ca [10.16.30.153]) by smtp11-sortant.hydro.qc.ca (Postfix) with ESMTPS id D169818002 for ; Fri, 28 Aug 2015 16:12:33 -0400 (EDT) Content-Language: fr-FR List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============1129561287215002202== Content-Language: fr-FR Content-Type: multipart/alternative; boundary="_000_23396023F719ED41888885C3B22D602F03714EWPEXCH2010MR11bur_" --_000_23396023F719ED41888885C3B22D602F03714EWPEXCH2010MR11bur_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Anyone ever implemented auditd by following the CIS standards described he= re? https://benchmarks.cisecurity.org/downloads/show-single/?file=3Dsuse11= .110 Is it too restrictive? Not enough? Too much ressources consuming? I woul= d like some comments/opinions if possible. Many thanks. --_000_23396023F719ED41888885C3B22D602F03714EWPEXCH2010MR11bur_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

Anyone ever implemented auditd&= nbsp; by following the CIS standards described here?  http= s://benchmarks.cisecurity.org/downloads/show-single/?file=3Dsuse11.110<= o:p>

 

Is it too restrictive?  No= t enough?  Too much ressources consuming?  I would like some comm= ents/opinions if possible.

 

 

Many thanks.<= /p>

--_000_23396023F719ED41888885C3B22D602F03714EWPEXCH2010MR11bur_-- --===============1129561287215002202== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1129561287215002202==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Jasen Subject: Re: CIS and audit rules Date: Wed, 2 Sep 2015 19:01:50 -0400 Message-ID: <55E77FDE.6020803@gmail.com> References: <23396023F719ED41888885C3B22D602F03714E@WPEXCH2010MR11.bur.hydro.qc.ca> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6595344793284694338==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t82N1sxL022195 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 2 Sep 2015 19:01:54 -0400 Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) by mx1.redhat.com (Postfix) with ESMTPS id F311AAED28 for ; Wed, 2 Sep 2015 23:01:52 +0000 (UTC) Received: by qkcj187 with SMTP id j187so14337531qkc.2 for ; Wed, 02 Sep 2015 16:01:52 -0700 (PDT) Received: from [10.0.0.230] (pool-71-244-242-131.bltmmd.fios.verizon.net. [71.244.242.131]) by smtp.googlemail.com with ESMTPSA id j13sm1825242qge.27.2015.09.02.16.01.50 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Sep 2015 16:01:51 -0700 (PDT) In-Reply-To: <23396023F719ED41888885C3B22D602F03714E@WPEXCH2010MR11.bur.hydro.qc.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============6595344793284694338== Content-Type: multipart/alternative; boundary="------------020503010101060700080406" This is a multi-part message in MIME format. --------------020503010101060700080406 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit I've been testing a variant of the CIS benchmarks, supplemented (for compliance reasons) by the NIST USGCB baselines. I've also been testing auditd with setuid/setgid binaries. Also as a potential replacement for aide (again, mostly compliance reasons). Your use of auditd rules depends a lot on your drivers for doing so, and your desired results. On 08/28/2015 04:12 PM, Alarie, Maxime wrote: > > > > Anyone ever implemented auditd by following the CIS standards > described here? > https://benchmarks.cisecurity.org/downloads/show-single/?file=suse11.110 > > > > Is it too restrictive? Not enough? Too much ressources consuming? I > would like some comments/opinions if possible. > > > > > > Many thanks. > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit --------------020503010101060700080406 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx6-phx2.redhat.com id t82N1t2c028288 I've been testing a variant of the CIS benchmarks, supplemented (for compliance reasons) by the NIST USGCB baselines.

I've also been testing auditd with setuid/setgid binaries.

Also as a potential replacement for aide (again, mostly compliance reasons).

Your use of auditd rules depends a lot on your drivers for doing so, and your desired results.


On 08/28/2015 04:12 PM, Alarie, Maxime wrote:

=A0

Anyone ever implement= ed auditd=A0 by following the CIS standards described here? =A0<= a moz-do-not-send=3D"true" href=3D"https://benchmarks.cisecurity.org/downloads/show-single/?file=3Ds= use11.110">https://benchmar= ks.cisecurity.org/downloads/show-single/?file=3Dsuse11.110

=A0=

Is it too restrictive= ?=A0 Not enough? =A0Too much ressources consuming?=A0 I would like some comments/opinions if possible.

=A0=

=A0=

Many thanks.



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audi=
t

--------------020503010101060700080406-- --===============6595344793284694338== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 7bit --===============6595344793284694338==--