Re: question - Steve Grubb

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: David Flatley <dflatley@us.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: question
Date: Mon, 3 Nov 2008 12:57:27 -0500	[thread overview]
Message-ID: <200811031257.27209.sgrubb@redhat.com> (raw)
In-Reply-To: <OF77D43B99.9185B49E-ON852574F6.005E8D5D-852574F6.005F59DC@us.ibm.com>

On Monday 03 November 2008 12:21:23 David Flatley wrote:
> I am actually using the suggested parameters from the STIG for UNIX
> guide. I have searched and found the stig.rules on the internet and we are
> going to try them. I also saw the nispom.rules but apparently they are
> for Red hat 5 Kernel 2.6.25 it says in the file?

Yes, those rules use some recent kernel functionality in order to cover all 
the requirements. Those recent kernel updates are in the RHEL5 kernels and 
should work. They will take some re-engineeing to get working on RHEL4.


> We are not using keying but will once we get the stig.rules installed
> they appear to be using the -k flag.

On RHEL4, you can only use keys on the file watches. RHEL5 you can use them on 
both syscall and file watches.


>     We are using audit 1.0.15 and I see 1.0.16 is on the Red Hat site, is
> there a compelling reason to update to the
> 1.0.16 version of audit?.

The change log

1.0.16
- Update time handling for ausearch and aureport to add more keywords
- Fix the ausearch on keyword to tolerate records with no key (#402941)
- num_logs option wasn't working right on shifts (#325561)
- In auditd, resume logging on SIGUSR2 (#325561)
- ausearch needed update for escaped acct fields (#353241)
- Fix parsing filterkeys in fs_watch records

So, this has some fixups for using keys.

-Steve

next prev parent reply	other threads:[~2008-11-03 17:57 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-31 18:21 question David Flatley
2008-10-31 19:50 ` question Steve Grubb
2008-11-02 17:24   ` question David Flatley
2008-11-03  2:42     ` question David Flatley
2008-11-03 14:15       ` question Steve Grubb
2008-11-03 17:21         ` question David Flatley
2008-11-03 17:57           ` Steve Grubb [this message]
2008-11-02 18:25   ` question LC Bruzenak
2008-11-03  3:54     ` question David Flatley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200811031257.27209.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=dflatley@us.ibm.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox