Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auditd not capturing administrator actions #86

Closed
cjnosal opened this issue Mar 29, 2019 · 5 comments
Closed

auditd not capturing administrator actions #86

cjnosal opened this issue Mar 29, 2019 · 5 comments
Labels
unscheduled

Comments

@cjnosal
Copy link
Contributor

cjnosal commented Mar 29, 2019

The bosh_audit stage adds a rule to record system administrator actions. The current configuration attempts to log actions that modify /var/log/sudo.log (https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/master/stemcell_builder/stages/bosh_audit/shared_functions.bash#L65)

This rule is ineffective because /var/log/sudo.log does not exist.

sudoer actions are being captured, but commands entered in a root shell are not.
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/164989826

The labels on this github issue will be updated when the story is started.

@jaresty
Copy link

jaresty commented Apr 3, 2019

@xtreme-conor-nosal is this causing any issues that you are aware of? I'm assuming that this is a suggestion to remove the line you called out here; please let me know if my interpretation is incorrect. Thanks!

@cjnosal
Copy link
Contributor Author

cjnosal commented Apr 3, 2019

This is a CIS Stemcell Hardening failure (non-repudiation of logs). The corresponding test (https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/master/bosh-stemcell/spec/support/os_image_shared_examples.rb#L660) references CIS 8.1.16 Collect System Administrator Actions (sudolog).

The CIS remediation does call for the current configuration (-w /var/log/sudo.log -p wa -k actions), but also calls out a precondition on 9.5 Restrict Access to the su Command that isn't currently met in the stemcell:
"If the system has been properly configured to disable the use of
the su command and force all administrators to have to log in first and then use sudo to
execute privileged commands, then all administrator commands will be logged to
/var/log/sudo.log"

I believe the current sudoer configuration is logging to syslog directly, not /var/log/sudo.log, and access to su is not restricted.

Regarding CIS 8.1.16, 2 options are:

  1. reconfigure to log to /var/log/sudo.log (following CIS's documented remediation)
  2. verify sudo logs to syslog, remove the ineffective auditd rule, and document that CIS 8.1.16 is being met via an alternate remediation

Regarding CIS 9.5, 2 options are:

  1. restrict su
  2. if that's not feasible, consider remediation via additional audit rules to capture root actions, for example -a exit,always -F euid=0 -F auid>1000 -S execve -k actions to capture programs launched by a bosh_ssh user in a su shell

@yatzek
Copy link
Contributor

yatzek commented Jun 14, 2021

How about something like this:

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=sudo_log
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=sudo_log

It captures "root" activity of real users and you can inspect the audit log with:
sudo ausearch -k sudo_log -i

Very good article describing this problem:
https://sudoedit.com/log-sudo-with-auditd/

@yatzek yatzek mentioned this issue Jun 14, 2021
Merged
@ramonskie
Copy link
Contributor

closing as fixed in #167

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
unscheduled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cjnosal @ramonskie @jaresty @cf-gitbot @yatzek