On 6/6/17 10:01 PM, Trevor Vaughan wrote: > So, I was digging through and found the following: > > RHEL-07-030300 > > The operating system must off-load audit records onto a different > system or media from the system being audited. > > and > > RHEL-07-030310 > > The operating system must encrypt the transfer of audit records > off-loaded onto a different system or media from the system being audited. > > This poses a real problem since there are pretty much limitless > methods to meet this requirement and, given that actual proof is > multi-node, this is going to be *really* difficult to evaluate properly. > > As much as I like auditd, I don't care for the thought of the network > blocking all of my operations, so I've opted to pass it along to > syslog. My syslog is then TLS encrypted to the various shipping > points. This obviously meets the requirement, and I can automatically > test that configuration in my code but I feel like this is yet another > place where we're going to have difficulty with the SSG. > > I also noticed that this one hasn't been implemented in the SSG and > I'm guessing that this is why. > > What are the plans for things like this moving forward?
DoD, NSA, NIST, and Red Hat contested this with DISA. DISA decided to go forward anyway. The broader consensus was to have things redirected through syslog (or rsyslog). That's where auditd_audispd_syslog_plugin_activated comes in: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/templates/static/oval/auditd_audispd_syslog_plugin_activated.xml And it's selected in the OSPP profile: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/ospp-rhel7.xml#L149#L150 Which is now part of the official USGCB draft: https://nvd.nist.gov/ncp/checklist/769 DISA has started working behind the scenes with Red Hat to triage their content with the draft USGCB and DoD consensus content (aka the OSPP profile). Hopefully things will shake out appropriately. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
