Setting Audit Rules

Setting Audit Rules

[Rye, Gene R.]

[-- Attachment #1.1: Type: text/plain, Size: 394 bytes --]

I am attempting to secure a RHEL 5 64bit system.  I am modifying the
stig.rules file to use as the audit.rules file.  The NSA guide
identifies some rules requiring the ARCH value to be either 64b or 32b.
Some existing rules have both OS versions being audited.  Should I leave
both available even though my system is 64b or should I only use the 64b
options?

Thanks

Gene Rye

 


[-- Attachment #1.2: Type: text/html, Size: 4631 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Setting Audit Rules

[Steve Grubb]

On Monday, July 25, 2011 02:27:33 PM Rye, Gene R. wrote:
> I am attempting to secure a RHEL 5 64bit system.  I am modifying the
> stig.rules file to use as the audit.rules file.  The NSA guide
> identifies some rules requiring the ARCH value to be either 64b or 32b.
> Some existing rules have both OS versions being audited.  Should I leave
> both available even though my system is 64b or should I only use the 64b
> options?

All 64 bit x86_64 systems have both a 64 and 32 bit interface. So, you want both. 32 
bit system don't and you would only want 32 bit values for it.

-Steve