The simplest example of this is the OVAL checks for Auditd. As mentioned in the guides, you probably want to optimize your audit rules and so I did.
The first optimization is that I drop -F auid!=4294967295 as one of the first things in my chain. This means that I don't need to actually worry about that causing load via any other rules. The same with auid>=500 (which may be 1000 in EL7, but it might not, we configure that system-wide). Finally, we dig out some of the more dangerous calls and segregate them away from the others (fork, vfork, etc...) so that your system doesn't die under load. Interestingly, what these rules do *not* check for is the presence of a rule at the top of the chain that just says "allow everything" and, of course, it doesn't check the running rules which may be heavily truncated unless you use the '-c' option to run auditd so that it continues to apply on an error. Thanks, Trevor On Mon, Nov 7, 2016 at 6:57 AM, Martin Preisler <[email protected]> wrote: > ----- Original Message ----- > > From: "Trevor Vaughan" <[email protected]> > > To: "SCAP Security Guide" <[email protected]> > > Sent: Monday, October 31, 2016 4:42:51 PM > > Subject: Integration Etiquitte > > > > Hi All, > > > > After much delaying, we're hoping to start integrating our SIMP-specific > > methods for meeting the various policy requirements directly into the > SSG. > > > > Unfortunately, this is providing to be a bit hairy and I'd like to know > > what you would prefer. > > > > ## Option 1: Fork the Entire RHEL base into SIMP/{6,7} etc... > > > > - We're not another OS, we're a specific (flexible) configuration set for > > RHEL and/or CentOS > > > > - I'd really like to avoid this > > > > ## Option 2: Muck about directly in the RHEL space > > > > - This is my preference and I can 100% start with a set of profiles that > > mirror the existing profiles. I guess this would be prefaced with 'simp'. > > So, simp-C2S.xml, simp-pci-dss.xml, etc... > > > > - We will also need to add alternate OVAL checks that are specific to > SIMP. > > For instance, per policy, our auditd file is optimized, this means that > > none of the included checks will pass and we need alternate checks. > > > > And no, in general, there is no way to determine if you're on a SIMP > system > > unless it's the Puppet Server. It's just RHEL. > > Could you please send an example of the differences between simp-pci-dss > and > pci-dss profiles. > > -- > Martin Preisler > Identity Management and Platform Security | Red Hat, Inc. > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
