Audit logging is disabled-f5-all
Vendor: f5
OS: all
Description:
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt. indeni will alert if audit is not enabled.
Remediation Steps:
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.\nMore information about TMM logging can be found here at https://support.f5.com/csp/article/K5532
How does this work?
This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.
Why is this important?
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.
Without Indeni how would you find this?
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.
f5-rest-mgmt-tm-sys-db-config-auditing
name: f5-rest-mgmt-tm-sys-db-config-auditing
description: Determine if audit logging is enabled or not
type: monitoring
monitoring_interval: 60 minutes
requires:
vendor: f5
product: load-balancer
rest-api: 'true'
comments:
f5-audit-enabled:
why: |
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.
how: |
This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: HTTP
command: /mgmt/tm/sys/db/config.auditing?$select=value
parse:
type: JSON
file: rest-mgmt-tm-sys-db-config-auditing.parser.1.json.yaml
f5_audit_enabled
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/f5/f5_audit_enabled.scala