I'm trying to create a benchmark with a couple of checks. The checks will validate if some services are disabled. For this I'm using the template Unix Run Level Check to validate if sendmail service is disabled in the audited server. The sendmail service was disabled previously by using the chkconfig command.
The parameters follows:
runlevel: pattern matching - type = [3-5]
name: equals - type = sendmail
kill at start up: equals - type = true
However this seems correct, according to the user guide, the checks fails everytime.
The system being audited is a RHCE 5.
Thanks in advance.
Ok, let me rephrase the question (actually into multiple questions):
Is anyone successfully using custom unix checks with PA?
How do you specify the path argument ( /usr/bin or /usr/bin/ )?
Does the following workflow work for you?:
1. create benchmark;
2. create new rule and check (based on a unix template);
3. activate the benchmark;
4. create and run audit;
If this works (i.e. the check passes the audit) for everyone than its really odd, because all my unix checks fail.
My lab setup is (server:W2003, ePO45+P3, PA53 / client: RHCE5, SOLARIS10).
Thanks in advance.
RDMessage was edited by: epo909 on 1/31/11 4:28:58 AM CST
I am a started in Policy Auditor and I want to deploy a test benchmark (from scratch) that would include all the checks of one of the windows GPOs I have here. So far, I was creating new Rules from Checks (eg. Account Lockdown Settings, etc). However, I reached a point where few of the checks I want are not included in McAfee Checklists. So, I need to create on my own new Checks from scratch...
Have you found any good resource for such thing showing examples I could follow and adjust them to what I want?
Thank you in advance!
You're more lucky than me if you were able to use some of the built-ins checks. We had code all checks from scratch (near 400!) and import them into our benchmarks. The best advice I can give you is that you should learn the OVAL language, so that you can understand the check and debug any problems. Take a look into the guides from oval.mitre.org and read the schemas (focus on the ones you need): http://oval.mitre.org/language/version5.8
You can also export the mcafee checks that more closely approach what you need and modify them, to meet your needs, then import them back and test them. Anyways you should know OVAL structure, because it will help a lot.
See you around.
This issue was resolved in Audit Engine Content 1060/1061. The primitives used to provide the framework for custom checks still used a handful of legacy cpe references. Checks created using the latest content update should no longer cause this issue.