Glad to hear that TLS is on its way. Any chance of it being back-ported for universal consistency?
I don't mind KRB, but I don't see any server guidance in the SSG so it's been...interesting...to get propagated effectively and, of course, there is the battle of AD vs IPA vs MIT etc... On Fri, Nov 23, 2018 at 10:29 AM Steve Grubb <[email protected]> wrote: > On Friday, November 23, 2018 8:00:17 AM EST Jan Cerny wrote: > > Hi, > > > > We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. > > It checks that enable_krb5 = yes is set in > /etc/audisp/audisp-remote.conf. > > We have found that it doesn't work anymore on Fedora 29 and RHEL 8. > > > > I have found that the audisp-remote.conf has moved to /etc/audit and > > that "enable_krb5 = yes" option has been superseded by "transport = > KRB5". > > I have created a patch [2] that fixes the rule, OVAL, etc. > > Yes. This is in preparation for a TLS option since setting up a kerberos > server is a large task. > > > However, it turned out that 'transport' option can be set also in > > /etc/audit/auditd.conf. > > This would be for the aggregating server rather than the remote client > that > is sending. Both sides have to agree on what transport will be used. > > > It's not clear to me if we should check > > /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both. > > On the remote system, check /etc/audit/audisp-remote.conf and on the > server > check /etc/audit/auditd.conf. Note that all audit configuration is now > consolidated under /etc/audit/. Also, the server should have some other > things enabled that should not be enabled on clients such as > krb5_principal, > krb5_key_file, transport, tcp_listen_port, and tcp_listen_queue. On all > systems you would want to check settings for: > > local_events = yes > log_format = enriched > flush = INCREMENTAL_ASYNC > name_format = hostname > > on remote client systems, you should check: > remote_server = > port = 60 > transport = krb5 > mode = forward > queue_depth = 10240 (or larger) > format = managed > krb5_principal = > krb5_client_name = auditd > krb5_key_file = /etc/audit/audisp-remote.key > > -Steve > > > Which of the 2 configuration files is correct to configure authentication > > and encryption for remote logging? Does each of the files mean a > different > > thing? > > > > Thank you. > > > > Regards > > > > [1] > > > https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/sys > > > tem/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_re > > cords/rule.yml [2] https://github.com/ComplianceAsCode/content/pull/3619 > > > > Jan Černý > > Security Technologies | Red Hat, Inc. > > > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
