----- Original Message ----- > From: "Trevor Vaughan" <[email protected]> > To: "SCAP Security Guide" <[email protected]> > Sent: Friday, November 11, 2016 2:04:03 PM > Subject: Re: Integration Etiquitte > > The simplest example of this is the OVAL checks for Auditd. > > As mentioned in the guides, you probably want to optimize your audit rules > and so I did. > > The first optimization is that I drop -F auid!=4294967295 as one of the > first things in my chain. This means that I don't need to actually worry > about that causing load via any other rules. > > The same with auid>=500 (which may be 1000 in EL7, but it might not, we > configure that system-wide). > > Finally, we dig out some of the more dangerous calls and segregate them > away from the others (fork, vfork, etc...) so that your system doesn't die > under load. > > Interestingly, what these rules do *not* check for is the presence of a > rule at the top of the chain that just says "allow everything" and, of > course, it doesn't check the running rules which may be heavily truncated > unless you use the '-c' option to run auditd so that it continues to apply > on an error.
To me it sounds like this could be added to the RHEL SSG product. Although keep in mind that we are a compliance solution and optimizing for performance or things like that are out of scope. We do want to pass the rule if the user has optimized their chain though. So in this case the changes to the OVAL can definitely be added to RHEL as long as it doesn't start failing currently compliant systems. HTH! -- Martin Preisler Identity Management and Platform Security | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
