Audit logging is disabled-f5-False

error
false
best-practices
regulatory-complianc
f5
Audit logging is disabled-f5-False
0
#1

Audit logging is disabled-f5-False

Vendor: f5

OS: False

Description:
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt. indeni will alert if audit is not enabled.

Remediation Steps:
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.\nMore information about TMM logging can be found here at https://support.f5.com/csp/article/K5532

How does this work?
This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.

Why is this important?
Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.

Without Indeni how would you find this?
An administrator could verify that auditing is enabled by logging into the web interface and clicking on “System” -> “Logs” -> “Configuration” -> “Options”. On that page, make sure that audit logging for “MCP” and “tmsh” is set to either “Enable”, “Verbose” or “Debug”.

f5-rest-mgmt-tm-sys-db-config-auditing

#! META
name: f5-rest-mgmt-tm-sys-db-config-auditing
description: Determine if audit logging is enabled or not
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
f5-audit-enabled:
    why: |
        Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.
    how: |
        This alert logs into the F5 unit via iControl REST and retrieves the status of the audit logging.
    without-indeni: |
        An administrator could verify that auditing is enabled by logging into the web interface and clicking on "System" -> "Logs" -> "Configuration" -> "Options". On that page, make sure that audit logging for "MCP" and "tmsh" is set to either "Enable", "Verbose" or "Debug".
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/sys/db/config.auditing?$select=value
protocol: HTTPS

#! PARSER::JSON

_metrics:
    -
        _tags:
            "im.name":
                _constant: "f5-audit-enabled"
            "im.dstype.displaytype":
                _constant: "state"
        _value.complex:
            value:
                _value: "$.value"

f5_audit_enabled

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule

/**
  *
  */
case class f5_audit_enabled() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "f5_audit_enabled",
  ruleFriendlyName = "F5 Devices: Audit logging is disabled",
  ruleDescription = "Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt. indeni will alert if audit is not enabled.",
  metricName = "f5-audit-enabled",
  alertDescription = "Audit logging is important for traceability reasons in case of an outage, or a successful intrusion attempt.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "An administrator could verify that auditing is enabled by logging into the web interface and clicking on \"System\" -> \"Logs\" -> \"Configuration\" -> \"Options\". On that page, make sure that audit logging for \"MCP\" and \"tmsh\" is set to either \"Enable\", \"Verbose\" or \"Debug\".\nMore information about TMM logging can be found here at https://support.f5.com/csp/article/K5532",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("disable"), SnapshotExpression("f5-audit-enabled").asSingle().mostRecent().value().noneable))()