Ah, got it! It's just so much easier to fool than is auditd that I was surprised.
Trevor On Fri, Aug 28, 2015 at 11:12 AM, Martin Alfke <[email protected]> wrote: > Hi, > > I have asked the guys around here: within this project they decided to go > for snoopy due to much easier installation (add a library to ld_preload). > They require to have all exec's logged (either from an application or a > user). > > I do not believe that something is wrong with auditd. > it is only this specific project which prefers snoopy over auditd. > > Best, > Martin > > > On 28 Aug 2015, at 14:24, Mike Hendon <[email protected]> wrote: > > > The requirements for auditing (Section 10) haven't changed from when > this was published: > > > http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html > > > > On Friday, 28 August 2015 11:30:27 UTC+1, Trevor Vaughan wrote: > > Interesting! What in, particular, is the issue? It would seem like this > is something worth reporting to the auditd folks if it can't meet the > requirements properly. > > > > On Fri, Aug 28, 2015 at 3:07 AM, Martin Alfke <[email protected]> wrote: > > Hi Trevor, > > > > many thanks for the feedback. > > I learned today that the new snoopy version fixes this issue. > > > > Sidenote: The problem is that the platform needs PCI DSS Level 3 > certification. > > auditd does not fully comply to the requirements. > > Neither does any of the other mentioned tools. > > > > Best, > > Martin > > > > On 27 Aug 2015, at 14:22, Trevor Vaughan <[email protected]> wrote: > > > > > Hey Martin, > > > > > > You're going to run into this with anything that collects *all* > commands run on the system if you're using any sort of maintenance > infrastructure. > > > > > > A couple of questions. > > > > > > 1) Are you using Linux? If so, why won't auditd suffice? > > > 2) I *think* that the requirement is to capture privileged commands > from users, not daemons. Can you restrict snoopy to only looking at users > with TTY sessions or use ala pam_tty_audit? > > > 3) Finally, you might want to take a look at roosh, or our fork of > sudosh2 https://github.com/onyxpoint/sudosh2 > > > 4) If you can't do any of these, you're going to have a really hard > time using any system like Puppet > > > > > > Good luck, > > > > > > Trevor > > > > > > On Thu, Aug 27, 2015 at 5:04 AM, Martin Alfke <[email protected]> > wrote: > > > Hi, > > > > > > we encounter a problem with puppet agent and snoopy installed and > activated. > > > Snoopy is required for PCI DSS compliance. > > > > > > > > > apt-cache show snoopy > > > Package: snoopy > > > Version: 1.8.0-5 > > > Installed-Size: 24 > > > Maintainer: Zed Pobre <[email protected]> > > > Architecture: amd64 > > > Depends: libc6 (>= 2.2.5), debconf (>= 0.5) | debconf-2.0 > > > Description-en: execve() wrapper and logger > > > snoopy is merely a shared library that is used as a wrapper > > > to the execve() function provided by libc as to log every call > > > to syslog (authpriv). system administrators may find snoopy > > > useful in tasks such as light/heavy system monitoring, tracking other > > > administrator's actions as well as getting a good 'feel' of > > > what's going on in the system (for example apache running cgi > > > scripts). > > > Homepage: http://sourceforge.net/projects/snoopylogger/ > > > > > > > > > > > > /opt/puppetlabs/bin/puppet agent --test --server master.example.net > > > Info: Retrieving pluginfacts > > > Info: Retrieving plugin > > > Info: Caching catalog for master.example.net > > > Info: Applying configuration version '1440665887' > > > Notice: Welcone to master.example.net > > > Notice: /Stage[main]/Main/Node[default]/Notify[Wemlcone to > master.example.net]/message: defined 'message' as 'Wemlcone to > master.example.net' > > > Notice: Applied catalog in 0.02 seconds > > > [ASYNC BUG] consume_communication_pipe: read > > > > > > EBADF > > > > > > ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux] > > > > > > [NOTE] > > > You may have encountered a bug in the Ruby interpreter or extension > libraries. > > > Bug reports are welcome. > > > For details: http://www.ruby-lang.org/bugreport.html > > > > > > Aborted > > > > > > The Ruby error varies. Sometimes it is rb_thread_wakeup timer_thread > instead of consume_communication_pipe > > > > > > How to have snoopy and Puppet coexisting? > > > > > > Best, > > > Martin > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/A32579C0-8036-4637-8706-239CA74F93CF%40gmail.com > . > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > -- > > > Trevor Vaughan > > > Vice President, Onyx Point, Inc > > > (410) 541-6699 > > > > > > -- This account not approved for unencrypted proprietary information -- > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoVVmwx13A0kMW%2BMnjLQsqAqxWMQn3Y2eMbgRqMnVyohnw%40mail.gmail.com > . > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/4C8EED69-B8F9-4BBE-B5DE-C7A330C151F6%40gmail.com > . > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > Trevor Vaughan > > Vice President, Onyx Point, Inc > > (410) 541-6699 > > > > -- This account not approved for unencrypted proprietary information -- > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/38f64cc2-a4d2-4431-b60b-1afd18f11d3e%40googlegroups.com > . > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/AFB5142A-47DB-478C-8D39-2249327A400F%40gmail.com > . > For more options, visit https://groups.google.com/d/optout. > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoU8vTjfvsMZePoR%3DjTU9zs32ejO%2BnRu4SAnKVYP0Sy9%2Bg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
