-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auditd not capturing administrator actions #86
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/164989826 The labels on this github issue will be updated when the story is started. |
@xtreme-conor-nosal is this causing any issues that you are aware of? I'm assuming that this is a suggestion to remove the line you called out here; please let me know if my interpretation is incorrect. Thanks! |
This is a CIS Stemcell Hardening failure (non-repudiation of logs). The corresponding test (https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/master/bosh-stemcell/spec/support/os_image_shared_examples.rb#L660) references The CIS remediation does call for the current configuration ( I believe the current sudoer configuration is logging to syslog directly, not /var/log/sudo.log, and access to Regarding CIS 8.1.16, 2 options are:
Regarding CIS 9.5, 2 options are:
|
How about something like this:
It captures "root" activity of real users and you can inspect the audit log with: Very good article describing this problem: |
closing as fixed in #167 |
The bosh_audit stage adds a rule to record system administrator actions. The current configuration attempts to log actions that modify /var/log/sudo.log (https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/master/stemcell_builder/stages/bosh_audit/shared_functions.bash#L65)
This rule is ineffective because /var/log/sudo.log does not exist.
sudoer actions are being captured, but commands entered in a root shell are not.
The text was updated successfully, but these errors were encountered: