Audit logging is disabled-f5-all

Audit logging is disabled-f5-all
0

Audit logging is disabled-f5-all

Vendor: f5

OS: all

Description:
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt. indeni will alert if audit is not enabled.

Remediation Steps:
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.\nMore information about TMM logging can be found here at https://support.f5.com/csp/article/K5532

How does this work?
This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.

Why is this important?
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.

Without Indeni how would you find this?
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.

f5-rest-mgmt-tm-sys-db-config-auditing

name: f5-rest-mgmt-tm-sys-db-config-auditing
description: Determine if audit logging is enabled or not
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    rest-api: 'true'
comments:
    f5-audit-enabled:
        why: |
            Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.
        how: |
            This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.
        without-indeni: |
            An administrator could verify that auditing is enabled by logging into the web interface and clicking on "System" -> "Logs" -> "Configuration" -> "Options". On that page, make sure that audit logging for "MCP" and "tmsh" is set to either "Enable", "Verbose" or "Debug".
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /mgmt/tm/sys/db/config.auditing?$select=value
    parse:
        type: JSON
        file: rest-mgmt-tm-sys-db-config-auditing.parser.1.json.yaml

f5_audit_enabled

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule
import com.indeni.server.rules.library.RuleHelper

/**
  *
  */
case class f5_audit_enabled() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "f5_audit_enabled",
  ruleFriendlyName = "F5 Devices: Audit logging is disabled",
  ruleDescription = "Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt. indeni will alert if audit is not enabled.",
  metricName = "f5-audit-enabled",
  alertDescription = "Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "An administrator could verify that auditing is enabled by logging into the web interface and clicking on \"System\" -> \"Logs\" -> \"Configuration\" -> \"Options\". On that page, make sure that audit logging for \"MCP\" and \"tmsh\" is set to either \"Enable\", \"Verbose\" or \"Debug\".\nMore information about TMM logging can be found here at https://support.f5.com/csp/article/K5532",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("disable"), SnapshotExpression("f5-audit-enabled").asSingle().mostRecent().value().noneable))()