Frequency of running Deploy and Run Security Checklist RedHat/CentOS 5

(imported topic written by SystemAdmin)

Subscribed DISA STIG Checklist for RHEL 5 to OS of Red for my Red Hat test server. Executed Deploy and Run Security Checklist RedHat/CentOS. /etc/syslog.conf permission - RedHat/CentOS 5 was relevant with /etc/syslog.conf having permissions of 644. Performed take action for /etc/syslog.conf which change permission to 640. 2 hours later /etc/syslog.conf permission - RedHat/CentOS 5 was still relevant. Executed task Deploy and Run Security Checklist RedHat/CentOS 5 again which made /etc/syslog.conf permission - RedHat/CentOS not relevant. Change permissions of /etc/syslog.conf back to 644 and /etc/syslog.conf permission - RedHat/CentOS 5 did not become relevant on TEM console.

Do you have to run task Deploy and Run Security Checklist RedHat/CentOS 5 to download the scripts and run runme.sh to get latest status of the Red Hat configuration checks? Or should running of task Deploy and Run Security Checklist RedHat/CentOS be only done once at beginning or when you have made changes? At TEM level 8.1.608.0

(imported comment written by symbios91)

Deploy and Run Security Checklist task has to be run every time you want to detect new changes. You could do a open action which runs the task every 24hrs or less.

(imported comment written by SystemAdmin)

By changes, I mean if you changed parameter(s) of individual SCM fixlets. e.g. Instead of checking for permissions 640 on a file, check for 600. If this type of change was done, then I could see the need to run task Deploy and Run Security Checklist RedHat/CentOS 5 to copy all the scripts to pick up these SCM fixlet changes. The task Deploy and Run Security Checklist RedHat/CentOS takes a longer time to run with all the copying. DISA STIG Checklist for RHEL 5 has 264 *.remediate files and 167 *.detect files.

It would be better if you just need to run task Deploy and Run Security Checklist RedHat/CentOS 5 at the beginning or whenever you make changes to the parameters or other changes of the SCM fixlets. Then the TEM client on Red Hat Linux 5 periodically runs the scripts to report when a SCM configuration fixlet is relevant. This makes it closer to the dynamic running of fixlets like Windows TEM agents. To be even closer to Windows, when you subscribe DISA STIG Checklist for RHEL 5 with OS contains Red Hat Enterprise Server 5, this should copy the scripts for DISA STIG Checklist for RHEL 5 to the Red Hat 5 computers. Also when you change a SCM fixlet for DISA STIG Checklist for RHEL 5, it should copy scripts for that individual SCM fixlet.

If you have hundreds or thousands of Linux servers to manage, it is not efficient to run task Deploy and Run Security Checklist RedHat/CentOS 5 to copy hundreds of SCM scripts, files each time to run a SCM scan to be able get an updated list of relevant SCM fixlets for each Linux server.

Running TEM 8.1.617.0 on TEM server and endpoints. Do you only need to run task Deploy and Run Security Checklist RedHat/CentOS 5 initially or with SCM fixlet parameter changes? Or do you need to run task Deploy and Run Security Checklist RedHat/CentOS 5 at least daily to find out what SCM fixlets are relevant, not relevant if changes to the target Linux computers are made to make new SCM fixlets relevant?

(imported comment written by Jeff Saxton)

Hi,

My name is Jeff Saxton and I am currently the lead developer for the Unix SCM content.

There are currently a couple of versions of the Unix SCM content out there and there are things that

we can do with either version to improve the performance and address your concerns.

Please feel free to contact me directly (this will also get you a chance to influance future development :wink:

I can be reached at jsaxton@us.ibm.com or feel free to call me at +US 650-235-0776

Jeff Saxton

Unix SCM Lead Developer

IBM