Hi Steve, Thank you very much for clarification.
Regards Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Steve Grubb" <[email protected]> > To: "Jan Cerny" <[email protected]> > Cc: "SCAP Security Guide" <[email protected]> > Sent: Friday, November 23, 2018 4:28:52 PM > Subject: Re: Audit 3.0 and SCAP rule "Encrypt Audit Records Sent With audispd > Plugin" > > On Friday, November 23, 2018 8:00:17 AM EST Jan Cerny wrote: > > Hi, > > > > We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. > > It checks that enable_krb5 = yes is set in /etc/audisp/audisp-remote.conf. > > We have found that it doesn't work anymore on Fedora 29 and RHEL 8. > > > > I have found that the audisp-remote.conf has moved to /etc/audit and > > that "enable_krb5 = yes" option has been superseded by "transport = KRB5". > > I have created a patch [2] that fixes the rule, OVAL, etc. > > Yes. This is in preparation for a TLS option since setting up a kerberos > server is a large task. > > > However, it turned out that 'transport' option can be set also in > > /etc/audit/auditd.conf. > > This would be for the aggregating server rather than the remote client that > is sending. Both sides have to agree on what transport will be used. > > > It's not clear to me if we should check > > /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both. > > On the remote system, check /etc/audit/audisp-remote.conf and on the server > check /etc/audit/auditd.conf. Note that all audit configuration is now > consolidated under /etc/audit/. Also, the server should have some other > things enabled that should not be enabled on clients such as krb5_principal, > krb5_key_file, transport, tcp_listen_port, and tcp_listen_queue. On all > systems you would want to check settings for: > > local_events = yes > log_format = enriched > flush = INCREMENTAL_ASYNC > name_format = hostname > > on remote client systems, you should check: > remote_server = > port = 60 > transport = krb5 > mode = forward > queue_depth = 10240 (or larger) > format = managed > krb5_principal = > krb5_client_name = auditd > krb5_key_file = /etc/audit/audisp-remote.key > > -Steve > > > Which of the 2 configuration files is correct to configure authentication > > and encryption for remote logging? Does each of the files mean a different > > thing? > > > > Thank you. > > > > Regards > > > > [1] > > https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/sys > > tem/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_re > > cords/rule.yml [2] https://github.com/ComplianceAsCode/content/pull/3619 > > > > Jan Černý > > Security Technologies | Red Hat, Inc. > > > > > _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
