One of the requirements is to use a system auditing tool to monitor and log all security-relevant events.
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	Viacheslav
	Apr 3 2023, 6:21 PM

Description

One of the requirements is to use a system auditing tool to monitor and log all security-relevant events.
auditd allows to collect and store detailed information about system events, such as user login attempts, file modifications, and network connections

An operator must not have access to this log, will be extended when we return administrator and operator access user levels.

https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-audit-setup.html

root@r14:/home/vyos# cat /etc/audit/auditd.conf 
#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

Report

root@r14:/home/vyos# sudo aureport

Summary Report
======================
Range of time in logs: 04/03/2023 21:12:24.277 - 04/03/2023 21:28:30.093
Selected time for report: 04/03/2023 21:12:24 - 04/03/2023 21:28:30.093
Number of changes in configuration: 3
Number of changes to accounts, groups, or roles: 0
Number of logins: 1
Number of failed logins: 5
Number of authentications: 1
Number of failed authentications: 3
Number of users: 4
Number of terminals: 12
Number of host names: 2
Number of executables: 6
Number of commands: 4
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 20
Number of events: 88

root@r14:/home/vyos#

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Feature (new functionality)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		In progress	FEATURE REQUEST	Viacheslav	T4712 Collaborative Protection Profile cPP for Network Devices root task
		Resolved	FEATURE REQUEST	Viacheslav	T5142 One of the requirements is to use a system auditing tool to monitor and log all security-relevant events.

Event Timeline

Viacheslav created this task.Apr 3 2023, 6:21 PM

Viacheslav updated the task description. (Show Details)Apr 3 2023, 6:25 PM

Viacheslav updated the task description. (Show Details)Apr 3 2023, 6:29 PM

Viacheslav updated the task description. (Show Details)Apr 3 2023, 6:31 PM

PR https://github.com/vyos/vyos-build/pull/333
PR https://github.com/vyos/vyos-1x/pull/1938

vyos@r14:~$ show log audit | tail -n 5
type=USER_CMD msg=audit(1680605966.402:952): pid=4150 uid=1003 auid=1003 ses=1 msg='cwd="/home/vyos" cmd=6A6F75726E616C63746C202D2D6E6F2D686F73746E616D65202D2D626F6F74205F5452414E53504F52543D6175646974202D2D6E6F2D7061676572 exe="/usr/bin/sudo" terminal=pts/0 res=success'UID="vyos" AUID="vyos"
type=CRED_REFR msg=audit(1680605966.402:953): pid=4150 uid=1003 auid=1003 ses=1 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="vyos" AUID="vyos"
type=USER_START msg=audit(1680605966.402:954): pid=4150 uid=1003 auid=1003 ses=1 msg='op=PAM:session_open grantors=pam_limits,pam_permit,pam_mkhomedir,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="vyos" AUID="vyos"
type=USER_END msg=audit(1680605966.407:955): pid=4150 uid=1003 auid=1003 ses=1 msg='op=PAM:session_close grantors=pam_limits,pam_permit,pam_mkhomedir,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="vyos" AUID="vyos"
type=CRED_DISP msg=audit(1680605966.407:956): pid=4150 uid=1003 auid=1003 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="vyos" AUID="vyos"
vyos@r14:~$

Viacheslav claimed this task.Apr 4 2023, 11:05 AM

Viacheslav updated the task description. (Show Details)

Viacheslav closed this task as Resolved.Apr 6 2023, 6:48 AM

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

One of the requirements is to use a system auditing tool to monitor and log all security-relevant events.Closed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Related ObjectsSearch...

Event Timeline

One of the requirements is to use a system auditing tool to monitor and log all security-relevant events.
Closed, ResolvedPublicFEATURE REQUEST
Actions

Related Objects
Search...