kenlukas's questions

When a user on Windows 10 tries to switch roles in AWS it fails with

Failed authentication

We have a Condition in our sts:AssumeRole policy to only allow the role to switch if the user is coming from a white-listed IP address. Those addresses correspond to our NAT IP's. The user googles "what's my IP" and it returns the NAT IP we expect to see.

What's peculiar is the IP address in the CloudTrail logs is not our NAT IP. It is owned by AWS.

We have tried this in Chrome and Firefox with the same result. What I expect to happen is the user switches roles without an issue.

This issue does not occur when using Windows7 or MacOS.

Thoughts?

I want to enable HTTP Strict Transport Security (HSTS) Headers globally for all my backends in HAProxy v1.5.

Following the instructions from https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/ I can add the following line to a backend configuration file and it works as expected.

http-response set-header Strict-Transport-Security max-age=16000000;\ 
includeSubDomains;\ preload;

I have a dozen backend files and will likely have more in the future. I'd like to set this in one place.

I'd like something similar to how it's set up globally in Apache's httpd.conf:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

I'm using CentOS 7. trying to view auditd logs in journalctl

When I try journalctl -u auditd I see the following output:

-- Logs begin at Wed 2018-09-05 08:59:19 EDT, end at Wed 2018-09-19 15:01:01 EDT. --
Sep 05 12:59:25 centos7 systemd[1]: Starting Security Auditing Service...
Sep 05 12:59:25 centos7 auditd[563]: Started dispatcher: /sbin/audispd pid: 565
Sep 05 12:59:25 centos7 audispd[565]: No plugins found, exiting
Sep 05 12:59:25 centos7 auditd[563]: Init complete, auditd 2.8.1 listening for events (startup state enable)
Sep 05 12:59:25 centos7 augenrules[567]: /sbin/augenrules: No change
Sep 05 12:59:25 centos7 augenrules[567]: No rules
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 systemd[1]: Started Security Auditing Service.

and that's where it ends.

If I run tail -3 /var/log/audit/audit.log I see the output I expect:

type=CRED_REFR msg=audit(1537383661.096:4863): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=CRED_DISP msg=audit(1537383661.107:4864): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=USER_END msg=audit(1537383661.109:4865): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

I looked at the instructions from https://major.io/2017/01/05/display-auditd-messages-with-journalctl/

Running this command from that page gave me this output and then waited (as expected).

$ journalctl -af _TRANSPORT=audit
-- Logs begin at Wed 2018-09-05 08:59:19 EDT. --

How do I configure journalctl or auditd to view the output I see from the audit.log file in journalctl?