Audit logging is disabled-f5-all

Audit logging is disabled-f5-all

Vendor: f5

OS: all

Description:
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt. indeni will alert if audit is not enabled.

Remediation Steps:
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.\nMore information about TMM logging can be found here at https://support.f5.com/csp/article/K5532

How does this work?
This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.

Why is this important?
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.

Without Indeni how would you find this?
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.

f5-rest-mgmt-tm-sys-db-config-auditing

name: f5-rest-mgmt-tm-sys-db-config-auditing
description: Determine if audit logging is enabled or not
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: f5
    product: load-balancer
    rest-api: 'true'
comments:
    f5-audit-enabled:
        why: |
            Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.
        how: |
            This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /mgmt/tm/sys/db/config.auditing?$select=value
    parse:
        type: JSON
        file: rest-mgmt-tm-sys-db-config-auditing.parser.1.json.yaml

f5_audit_enabled

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/f5/f5_audit_enabled.scala