stig.rules

stig.rules

[rshaw1]

I've been trying to set up auditd for STIG compliance.  I'm working with
RHEL 5.5 and RHEL4 with their latest default kernels (2.6.18-194 and
2.6.9-89.0.23) and audit packages (1.7.17-3.el5 and 1.0.16-4.el4_8.1),
though I'm just trying to get it working on a RHEL 5.5 machine to start. 
The stig.rules sample file is helpful, but I'm having difficulty filling
in the missing parts (which I suppose is probably why they're missing).  I
checked Google and the past two years of list archives, and didn't find
anything relevant (though I may have missed it).  Specifically:

- Monitoring system startup and shutdown.  I could monitor all the
relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
around these.  I'm not sure how to accurately monitor startup at all.

- Use of print command (unsuccessful and successful).  I tried modifying
the "Use of privileged commands" rule to monitor the command-line print
commands and cupsd, but this didn't catch printing via GUI apps through
CUPS, and I suspect there must be a better way anyhow.  There are cupsd
audit entries, but these are from the permission change/deletion rules (I
did move the print rules above those, close to the top).

If I should just be monitoring these via another facility, that may also
work.  I'm also pondering the best way to get the RHEL4 machines to send
their audit logs to a central server, as there seems to be no support for
audisp at all (unless I'm missing something).

Thanks,

--Ray

Re: stig.rules

[Stephen John Smoogen]

On Tue, Apr 6, 2010 at 2:14 PM,  <rshaw1@umbc.edu> wrote:
> I've been trying to set up auditd for STIG compliance.  I'm working with
> RHEL 5.5 and RHEL4 with their latest default kernels (2.6.18-194 and
> 2.6.9-89.0.23) and audit packages (1.7.17-3.el5 and 1.0.16-4.el4_8.1),
> though I'm just trying to get it working on a RHEL 5.5 machine to start.

I don't think STIG was ever approved for RHEL-5 which might explain the holes.

> The stig.rules sample file is helpful, but I'm having difficulty filling
> in the missing parts (which I suppose is probably why they're missing).  I
> checked Google and the past two years of list archives, and didn't find
> anything relevant (though I may have missed it).  Specifically:
>
> - Monitoring system startup and shutdown.  I could monitor all the
> relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
> around these.  I'm not sure how to accurately monitor startup at all.

There are always going to be a cool way to monitor startup/shutdown so
you have to figure out what is good enough for your environment (or
the approval agency has to.. etc). I was thinking aulast might help..
but it doesn't seem to.

> - Use of print command (unsuccessful and successful).  I tried modifying
> the "Use of privileged commands" rule to monitor the command-line print
> commands and cupsd, but this didn't catch printing via GUI apps through
> CUPS, and I suspect there must be a better way anyhow.  There are cupsd
> audit entries, but these are from the permission change/deletion rules (I
> did move the print rules above those, close to the top).

Not going to be much help here either.. hopefully Steve Grubb will see this.

> If I should just be monitoring these via another facility, that may also
> work.  I'm also pondering the best way to get the RHEL4 machines to send
> their audit logs to a central server, as there seems to be no support for
> audisp at all (unless I'm missing something).
>

I don't know of anything myself.


-- 
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

Re: stig.rules

[Steve Grubb]

On Tuesday 06 April 2010 04:14:32 pm rshaw1@umbc.edu wrote:
> - Monitoring system startup and shutdown.  I could monitor all the
> relevant binaries (shutdown/halt/reboot/?), but I suspect there are ways
> around these.  I'm not sure how to accurately monitor startup at all.

Init is the only thing that knows the system is changing states. Upstart was 
patched to handle this requirement but the older SysVinit package has not been 
patched. You should be able to watch some of the apps in the init package to 
see what is happening. It won't be as nice as the upstart based solution, but 
will log the event.

 
> - Use of print command (unsuccessful and successful).  I tried modifying
> the "Use of privileged commands" rule to monitor the command-line print
> commands and cupsd, but this didn't catch printing via GUI apps through
> CUPS, and I suspect there must be a better way anyhow.  There are cupsd
> audit entries, but these are from the permission change/deletion rules (I
> did move the print rules above those, close to the top).

Support for auditing anything on the desktop is not really functional. Dbus 
has no way of changing the auid correctly and everything passing through it 
would be attributed to root. The best way to straighten this all out would be 
getting the desktop through a Common Criteria certification so that all this 
would get addressed, but there has never been enough interest to do this.
 

> If I should just be monitoring these via another facility, that may also
> work.  I'm also pondering the best way to get the RHEL4 machines to send
> their audit logs to a central server, as there seems to be no support for
> audisp at all (unless I'm missing something).

RHEL4 won't be getting any updates to support this as far as I know. I have no 
experience with any other solutions to be able to recommend any of them.

-Steve