From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: question Date: Mon, 3 Nov 2008 12:57:27 -0500 Message-ID: <200811031257.27209.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: David Flatley Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday 03 November 2008 12:21:23 David Flatley wrote: > I am actually using the suggested parameters from the STIG for UNIX > guide. I have searched and found the stig.rules on the internet and we = are > going to try them. I also saw the nispom.rules but apparently they are > for Red hat 5 Kernel 2.6.25 it says in the file? Yes, those rules use some recent kernel functionality in order to cover a= ll=20 the requirements. Those recent kernel updates are in the RHEL5 kernels an= d=20 should work. They will take some re-engineeing to get working on RHEL4. > We are not using keying but will once we get the stig.rules installed > they appear to be using the -k flag. On RHEL4, you can only use keys on the file watches. RHEL5 you can use th= em on=20 both syscall and file watches. > =C2=A0 =C2=A0 We are using audit 1.0.15 and I see 1.0.16 is on the Red = Hat site, is > there a compelling reason to update to the > 1.0.16 version of audit?. The change log 1.0.16 - Update time handling for ausearch and aureport to add more keywords - Fix the ausearch on keyword to tolerate records with no key (#402941) - num_logs option wasn't working right on shifts (#325561) - In auditd, resume logging on SIGUSR2 (#325561) - ausearch needed update for escaped acct fields (#353241) - Fix parsing filterkeys in fs_watch records So, this has some fixups for using keys. -Steve