On Thursday, January 10, 2019 11:24:20 AM EST Shawn Wells wrote: > On 1/9/19 8:54 PM, Trevor Vaughan wrote: > > DoD refined as requiring audit of all > > success/failed attempts to create/access/delete/modify files [2] > > > > Ugh... this thing *destroys* systems on a regular basis along with the > > chmod/chown rules. I get it but I've seen *so* many systems tanked by > > those rules. > > Way the current Configuration Annex is written is that CNSSI 1253 and > DoD systems will need to audit every file I/O.
It is almost the same as what is called out for by OSPP-4.2. Which you can see here: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules AFAICS, CNSSI 1253 also wants accesses of configuration files. I would say that is ill-advised. You may want failures due to permissions in accessing files. But with a lot of subsystems putting configuration in /usr/lib/ how do you tell what to monitor and what is applications? I'd say treat config files as any other file because they are too spread out and accessed constantly, like $HOME/.bashrc -Steve > They have a reasonably responsive team behind these. Can open a ticket > through GitHub, or even submit a PR, to start the conversation to have > these changed: > > https://github.com/commoncriteria/operatingsystem/blob/master/input/configa > nnex.xml#L212#L223 _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
