On Friday, November 23, 2018 8:00:17 AM EST Jan Cerny wrote: > Hi, > > We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. > It checks that enable_krb5 = yes is set in /etc/audisp/audisp-remote.conf. > We have found that it doesn't work anymore on Fedora 29 and RHEL 8. > > I have found that the audisp-remote.conf has moved to /etc/audit and > that "enable_krb5 = yes" option has been superseded by "transport = KRB5". > I have created a patch [2] that fixes the rule, OVAL, etc.
Yes. This is in preparation for a TLS option since setting up a kerberos server is a large task. > However, it turned out that 'transport' option can be set also in > /etc/audit/auditd.conf. This would be for the aggregating server rather than the remote client that is sending. Both sides have to agree on what transport will be used. > It's not clear to me if we should check > /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both. On the remote system, check /etc/audit/audisp-remote.conf and on the server check /etc/audit/auditd.conf. Note that all audit configuration is now consolidated under /etc/audit/. Also, the server should have some other things enabled that should not be enabled on clients such as krb5_principal, krb5_key_file, transport, tcp_listen_port, and tcp_listen_queue. On all systems you would want to check settings for: local_events = yes log_format = enriched flush = INCREMENTAL_ASYNC name_format = hostname on remote client systems, you should check: remote_server = port = 60 transport = krb5 mode = forward queue_depth = 10240 (or larger) format = managed krb5_principal = krb5_client_name = auditd krb5_key_file = /etc/audit/audisp-remote.key -Steve > Which of the 2 configuration files is correct to configure authentication > and encryption for remote logging? Does each of the files mean a different > thing? > > Thank you. > > Regards > > [1] > https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/sys > tem/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_re > cords/rule.yml [2] https://github.com/ComplianceAsCode/content/pull/3619 > > Jan Černý > Security Technologies | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
