The requirements for auditing (Section 10) haven't changed from when this was published: http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html
On Friday, 28 August 2015 11:30:27 UTC+1, Trevor Vaughan wrote: > > Interesting! What in, particular, is the issue? It would seem like this is > something worth reporting to the auditd folks if it can't meet the > requirements properly. > > On Fri, Aug 28, 2015 at 3:07 AM, Martin Alfke <[email protected] > <javascript:>> wrote: > >> Hi Trevor, >> >> many thanks for the feedback. >> I learned today that the new snoopy version fixes this issue. >> >> Sidenote: The problem is that the platform needs PCI DSS Level 3 >> certification. >> auditd does not fully comply to the requirements. >> Neither does any of the other mentioned tools. >> >> Best, >> Martin >> >> On 27 Aug 2015, at 14:22, Trevor Vaughan <[email protected] >> <javascript:>> wrote: >> >> > Hey Martin, >> > >> > You're going to run into this with anything that collects *all* >> commands run on the system if you're using any sort of maintenance >> infrastructure. >> > >> > A couple of questions. >> > >> > 1) Are you using Linux? If so, why won't auditd suffice? >> > 2) I *think* that the requirement is to capture privileged commands >> from users, not daemons. Can you restrict snoopy to only looking at users >> with TTY sessions or use ala pam_tty_audit? >> > 3) Finally, you might want to take a look at roosh, or our fork of >> sudosh2 https://github.com/onyxpoint/sudosh2 >> > 4) If you can't do any of these, you're going to have a really hard >> time using any system like Puppet >> > >> > Good luck, >> > >> > Trevor >> > >> > On Thu, Aug 27, 2015 at 5:04 AM, Martin Alfke <[email protected] >> <javascript:>> wrote: >> > Hi, >> > >> > we encounter a problem with puppet agent and snoopy installed and >> activated. >> > Snoopy is required for PCI DSS compliance. >> > >> > >> > apt-cache show snoopy >> > Package: snoopy >> > Version: 1.8.0-5 >> > Installed-Size: 24 >> > Maintainer: Zed Pobre <[email protected] <javascript:>> >> > Architecture: amd64 >> > Depends: libc6 (>= 2.2.5), debconf (>= 0.5) | debconf-2.0 >> > Description-en: execve() wrapper and logger >> > snoopy is merely a shared library that is used as a wrapper >> > to the execve() function provided by libc as to log every call >> > to syslog (authpriv). system administrators may find snoopy >> > useful in tasks such as light/heavy system monitoring, tracking other >> > administrator's actions as well as getting a good 'feel' of >> > what's going on in the system (for example apache running cgi >> > scripts). >> > Homepage: http://sourceforge.net/projects/snoopylogger/ >> > >> > >> > >> > /opt/puppetlabs/bin/puppet agent --test --server master.example.net >> > Info: Retrieving pluginfacts >> > Info: Retrieving plugin >> > Info: Caching catalog for master.example.net >> > Info: Applying configuration version '1440665887' >> > Notice: Welcone to master.example.net >> > Notice: /Stage[main]/Main/Node[default]/Notify[Wemlcone to >> master.example.net]/message: defined 'message' as 'Wemlcone to >> master.example.net' >> > Notice: Applied catalog in 0.02 seconds >> > [ASYNC BUG] consume_communication_pipe: read >> > >> > EBADF >> > >> > ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux] >> > >> > [NOTE] >> > You may have encountered a bug in the Ruby interpreter or extension >> libraries. >> > Bug reports are welcome. >> > For details: http://www.ruby-lang.org/bugreport.html >> > >> > Aborted >> > >> > The Ruby error varies. Sometimes it is rb_thread_wakeup timer_thread >> instead of consume_communication_pipe >> > >> > How to have snoopy and Puppet coexisting? >> > >> > Best, >> > Martin >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Puppet Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected] <javascript:>. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/A32579C0-8036-4637-8706-239CA74F93CF%40gmail.com >> . >> > For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > -- >> > Trevor Vaughan >> > Vice President, Onyx Point, Inc >> > (410) 541-6699 >> > >> > -- This account not approved for unencrypted proprietary information -- >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Puppet Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected] <javascript:>. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoVVmwx13A0kMW%2BMnjLQsqAqxWMQn3Y2eMbgRqMnVyohnw%40mail.gmail.com >> . >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/4C8EED69-B8F9-4BBE-B5DE-C7A330C151F6%40gmail.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 > > -- This account not approved for unencrypted proprietary information -- > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/38f64cc2-a4d2-4431-b60b-1afd18f11d3e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
