Ah, got it! It's just so much easier to fool than is auditd that I was surprised.
Trevor On Fri, Aug 28, 2015 at 11:12 AM, Martin Alfke <tux...@gmail.com> wrote: > Hi, > > I have asked the guys around here: within this project they decided to go > for snoopy due to much easier installation (add a library to ld_preload). > They require to have all exec's logged (either from an application or a > user). > > I do not believe that something is wrong with auditd. > it is only this specific project which prefers snoopy over auditd. > > Best, > Martin > > > On 28 Aug 2015, at 14:24, Mike Hendon <m...@samknows.com> wrote: > > > The requirements for auditing (Section 10) haven't changed from when > this was published: > > > http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html > > > > On Friday, 28 August 2015 11:30:27 UTC+1, Trevor Vaughan wrote: > > Interesting! What in, particular, is the issue? It would seem like this > is something worth reporting to the auditd folks if it can't meet the > requirements properly. > > > > On Fri, Aug 28, 2015 at 3:07 AM, Martin Alfke <tux...@gmail.com> wrote: > > Hi Trevor, > > > > many thanks for the feedback. > > I learned today that the new snoopy version fixes this issue. > > > > Sidenote: The problem is that the platform needs PCI DSS Level 3 > certification. > > auditd does not fully comply to the requirements. > > Neither does any of the other mentioned tools. > > > > Best, > > Martin > > > > On 27 Aug 2015, at 14:22, Trevor Vaughan <tvau...@onyxpoint.com> wrote: > > > > > Hey Martin, > > > > > > You're going to run into this with anything that collects *all* > commands run on the system if you're using any sort of maintenance > infrastructure. > > > > > > A couple of questions. > > > > > > 1) Are you using Linux? If so, why won't auditd suffice? > > > 2) I *think* that the requirement is to capture privileged commands > from users, not daemons. Can you restrict snoopy to only looking at users > with TTY sessions or use ala pam_tty_audit? > > > 3) Finally, you might want to take a look at roosh, or our fork of > sudosh2 https://github.com/onyxpoint/sudosh2 > > > 4) If you can't do any of these, you're going to have a really hard > time using any system like Puppet > > > > > > Good luck, > > > > > > Trevor > > > > > > On Thu, Aug 27, 2015 at 5:04 AM, Martin Alfke <tux...@gmail.com> > wrote: > > > Hi, > > > > > > we encounter a problem with puppet agent and snoopy installed and > activated. > > > Snoopy is required for PCI DSS compliance. > > > > > > > > > apt-cache show snoopy > > > Package: snoopy > > > Version: 1.8.0-5 > > > Installed-Size: 24 > > > Maintainer: Zed Pobre <z...@debian.org> > > > Architecture: amd64 > > > Depends: libc6 (>= 2.2.5), debconf (>= 0.5) | debconf-2.0 > > > Description-en: execve() wrapper and logger > > > snoopy is merely a shared library that is used as a wrapper > > > to the execve() function provided by libc as to log every call > > > to syslog (authpriv). system administrators may find snoopy > > > useful in tasks such as light/heavy system monitoring, tracking other > > > administrator's actions as well as getting a good 'feel' of > > > what's going on in the system (for example apache running cgi > > > scripts). > > > Homepage: http://sourceforge.net/projects/snoopylogger/ > > > > > > > > > > > > /opt/puppetlabs/bin/puppet agent --test --server master.example.net > > > Info: Retrieving pluginfacts > > > Info: Retrieving plugin > > > Info: Caching catalog for master.example.net > > > Info: Applying configuration version '1440665887' > > > Notice: Welcone to master.example.net > > > Notice: /Stage[main]/Main/Node[default]/Notify[Wemlcone to > master.example.net]/message: defined 'message' as 'Wemlcone to > master.example.net' > > > Notice: Applied catalog in 0.02 seconds > > > [ASYNC BUG] consume_communication_pipe: read > > > > > > EBADF > > > > > > ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux] > > > > > > [NOTE] > > > You may have encountered a bug in the Ruby interpreter or extension > libraries. > > > Bug reports are welcome. > > > For details: http://www.ruby-lang.org/bugreport.html > > > > > > Aborted > > > > > > The Ruby error varies. Sometimes it is rb_thread_wakeup timer_thread > instead of consume_communication_pipe > > > > > > How to have snoopy and Puppet coexisting? > > > > > > Best, > > > Martin > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-dev+...@googlegroups.com. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/A32579C0-8036-4637-8706-239CA74F93CF%40gmail.com > . > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > > > -- > > > Trevor Vaughan > > > Vice President, Onyx Point, Inc > > > (410) 541-6699 > > > > > > -- This account not approved for unencrypted proprietary information -- > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-dev+...@googlegroups.com. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoVVmwx13A0kMW%2BMnjLQsqAqxWMQn3Y2eMbgRqMnVyohnw%40mail.gmail.com > . > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-dev+...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/4C8EED69-B8F9-4BBE-B5DE-C7A330C151F6%40gmail.com > . > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > Trevor Vaughan > > Vice President, Onyx Point, Inc > > (410) 541-6699 > > > > -- This account not approved for unencrypted proprietary information -- > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-dev+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/38f64cc2-a4d2-4431-b60b-1afd18f11d3e%40googlegroups.com > . > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/AFB5142A-47DB-478C-8D39-2249327A400F%40gmail.com > . > For more options, visit https://groups.google.com/d/optout. > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoU8vTjfvsMZePoR%3DjTU9zs32ejO%2BnRu4SAnKVYP0Sy9%2Bg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
