As are all of ours. I'm just pointing out that this rule (and a few others) will probably make your system unresponsive to logins in certain situations.
DO NOT APPLY THIS BLINDLY TO OPERATIONAL SYSTEMS I was forced to do this at one site. Got a all 2 hours later that they couldn't login to any systems. This is great for workstations and login nodes but may destroy operational systems that do heavy data processing/manipulation using regular user-level or system acccounts such as mail servers, HDFS, data processing nodes, etc... Trevor On Fri, Jan 5, 2018 at 12:37 PM, Paige, David B CTR USARMY ICOE (US) < [email protected]> wrote: > My audit.rules file is full of checks like this to satisfy the STIG. > > -----Original Message----- > From: Trevor Vaughan [mailto:[email protected]] > Sent: Friday, January 5, 2018 10:17 AM > To: SCAP Security Guide <[email protected]> > Subject: [Non-DoD Source] Re: audit_rules_file_deletion_events > > All active links contained in this email were disabled. Please verify the > identity of the sender, and confirm the authenticity of all links contained > within the message prior to copying and pasting the address to a Web > browser. > > > ________________________________ > > > > Note: That particular rule will absolutely destroy any system running HDFS. > > > On Fri, Jan 5, 2018 at 12:00 PM, Paige, David B CTR USARMY ICOE (US) < > [email protected] < Caution-mailto:[email protected] > > > wrote: > > > This check and some related ones require auditing for all users > and root. The suggested line includes these elements: > > -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat > -F auid>=500 -F auid!=4294967295 -k delete > > Should this check include "-F auid=0" to properly audit the root > user? > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org < Caution-mailto:scap-security- > [email protected] > > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org < Caution-mailto:scap-security-guide-leave@lists. > fedorahosted.org > > > > > > > -- > > Trevor Vaughan > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 > > > -- This account not approved for unencrypted proprietary information -- > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
