Comments (5)
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/164989826
The labels on this github issue will be updated when the story is started.
from bosh-linux-stemcell-builder.
@xtreme-conor-nosal is this causing any issues that you are aware of? I'm assuming that this is a suggestion to remove the line you called out here; please let me know if my interpretation is incorrect. Thanks!
from bosh-linux-stemcell-builder.
This is a CIS Stemcell Hardening failure (non-repudiation of logs). The corresponding test (https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/master/bosh-stemcell/spec/support/os_image_shared_examples.rb#L660) references CIS 8.1.16 Collect System Administrator Actions (sudolog)
.
The CIS remediation does call for the current configuration (-w /var/log/sudo.log -p wa -k actions
), but also calls out a precondition on 9.5 Restrict Access to the su Command
that isn't currently met in the stemcell:
"If the system has been properly configured to disable the use of
the su command and force all administrators to have to log in first and then use sudo to
execute privileged commands, then all administrator commands will be logged to
/var/log/sudo.log"
I believe the current sudoer configuration is logging to syslog directly, not /var/log/sudo.log, and access to su
is not restricted.
Regarding CIS 8.1.16, 2 options are:
- reconfigure to log to /var/log/sudo.log (following CIS's documented remediation)
- verify sudo logs to syslog, remove the ineffective auditd rule, and document that CIS 8.1.16 is being met via an alternate remediation
Regarding CIS 9.5, 2 options are:
- restrict su
- if that's not feasible, consider remediation via additional audit rules to capture root actions, for example
-a exit,always -F euid=0 -F auid>1000 -S execve -k actions
to capture programs launched by a bosh_ssh user in a su shell
from bosh-linux-stemcell-builder.
How about something like this:
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=sudo_log
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=sudo_log
It captures "root" activity of real users and you can inspect the audit log with:
sudo ausearch -k sudo_log -i
Very good article describing this problem:
https://sudoedit.com/log-sudo-with-auditd/
from bosh-linux-stemcell-builder.
closing as fixed in #167
from bosh-linux-stemcell-builder.
Related Issues (20)
- Why JJ stemcell customize cgroup into hybrid mode HOT 6
- wget-logs are created when building jammy stemcells
- Version mismatch on rubygems-update HOT 3
- Ubuntu Stemcells should perform Duplicate Address Detection according to RFC 5227 and RFC 4862 HOT 5
- Unable to create VM for ubuntu-bionic-stemcell after v1.150 HOT 26
- investigate if our aws light stemcells should be on gp3 HOT 2
- Container to container networking performance degradation HOT 3
- [task] pre-work 24.04 lts stemcell release HOT 7
- Update Id Device Path Resolver logic in the agent
- Install rsyslog packages from ubuntu apt repository HOT 2
- remove xenial, bionic, jammy references from noble stemcell branch HOT 1
- AWS AMI is missing from cn-north-1 region after released in about a month time HOT 3
- Resize of persistent disks fails on recent Jammy stemcells - systemd mount namespacing issue? HOT 2
- Stemcell building on M1/M2 laptops was removed in readme file HOT 1
- Memory Errors with stemcell 1.351+ HOT 23
- Noble Numbat stemcell no longer uses monit HOT 4
- Noble uses EFI (extensible firmware interface) not MBR (Master Boot Record) HOT 1
- Noble Numbat stemcell no longer uses `runit` to launch the agent HOT 4
- Noble Numbat vSphere/vCloud stemcells forbid SSH password authentication HOT 3
- Noble uses control groups (cgroups) v2 instead of v1 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bosh-linux-stemcell-builder.