From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Rye, Gene R." Subject: Setting Audit Rules Date: Mon, 25 Jul 2011 11:27:33 -0700 Message-ID: <9180F6B27399C541B10663E21C8BDE9201D0F567@0461-its-exmb09.us.saic.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5371502515971225455==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p6PIRmGV027607 for ; Mon, 25 Jul 2011 14:27:48 -0400 Received: from cpmx.mail.saic.com (cpmx.mail.saic.com [139.121.17.160]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p6PIRkeU012386 for ; Mon, 25 Jul 2011 14:27:47 -0400 Received: from 0599-its-sbg02.saic.com ([139.121.20.253] [139.121.20.253]) by cpmx.mail.saic.com with ESMTP id BT-MMP-4289732 for linux-audit@redhat.com; Mon, 25 Jul 2011 11:27:33 -0700 Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============5371502515971225455== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC4AF8.853DD258" This is a multi-part message in MIME format. ------_=_NextPart_001_01CC4AF8.853DD258 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am attempting to secure a RHEL 5 64bit system. I am modifying the stig.rules file to use as the audit.rules file. The NSA guide identifies some rules requiring the ARCH value to be either 64b or 32b. Some existing rules have both OS versions being audited. Should I leave both available even though my system is 64b or should I only use the 64b options? Thanks Gene Rye =20 ------_=_NextPart_001_01CC4AF8.853DD258 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I am = attempting to secure a RHEL 5 64bit system.  I am modifying the = stig.rules file to use as the audit.rules file.  The NSA guide = identifies some rules requiring the ARCH value to be either 64b or = 32b.  Some existing rules have both OS versions being = audited.  Should I leave both available even though my system is = 64b or should I only use the 64b options?

Thanks

Gene = Rye

 

------_=_NextPart_001_01CC4AF8.853DD258-- --===============5371502515971225455== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5371502515971225455==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Setting Audit Rules Date: Mon, 25 Jul 2011 15:06:26 -0400 Message-ID: <201107251506.26786.sgrubb@redhat.com> References: <9180F6B27399C541B10663E21C8BDE9201D0F567@0461-its-exmb09.us.saic.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <9180F6B27399C541B10663E21C8BDE9201D0F567@0461-its-exmb09.us.saic.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Rye, Gene R." List-Id: linux-audit@redhat.com On Monday, July 25, 2011 02:27:33 PM Rye, Gene R. wrote: > I am attempting to secure a RHEL 5 64bit system. I am modifying the > stig.rules file to use as the audit.rules file. The NSA guide > identifies some rules requiring the ARCH value to be either 64b or 32b. > Some existing rules have both OS versions being audited. Should I leave > both available even though my system is 64b or should I only use the 64b > options? All 64 bit x86_64 systems have both a 64 and 32 bit interface. So, you want both. 32 bit system don't and you would only want 32 bit values for it. -Steve