Hi, We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. It checks that enable_krb5 = yes is set in /etc/audisp/audisp-remote.conf. We have found that it doesn't work anymore on Fedora 29 and RHEL 8.
I have found that the audisp-remote.conf has moved to /etc/audit and that "enable_krb5 = yes" option has been superseded by "transport = KRB5". I have created a patch [2] that fixes the rule, OVAL, etc. However, it turned out that 'transport' option can be set also in /etc/audit/auditd.conf. It's not clear to me if we should check /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both. Which of the 2 configuration files is correct to configure authentication and encryption for remote logging? Does each of the files mean a different thing? Thank you. Regards [1] https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml [2] https://github.com/ComplianceAsCode/content/pull/3619 Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
