On Monday, November 26, 2018 8:29:18 AM EST Trevor Vaughan wrote: > Glad to hear that TLS is on its way. Any chance of it being back-ported for > universal consistency?
No chance because of the changes to the config files in a shipped product. I rushed these changes into place before RHEL 8 ships so that it can be delivered later. > I don't mind KRB, but I don't see any server guidance in the SSG so it's > been...interesting...to get propagated effectively and, of course, there is > the battle of AD vs IPA vs MIT etc... Yep. Hopefully TLS will work better for people with small to medium setups. I have also heard of people using libreswan to make a vpn connection to a server. To me, that also sounds complicated. -Steve > On Fri, Nov 23, 2018 at 10:29 AM Steve Grubb <[email protected]> wrote: > > On Friday, November 23, 2018 8:00:17 AM EST Jan Cerny wrote: > > > Hi, > > > > > > We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. > > > It checks that enable_krb5 = yes is set in > > > > /etc/audisp/audisp-remote.conf. > > > > > We have found that it doesn't work anymore on Fedora 29 and RHEL 8. > > > > > > I have found that the audisp-remote.conf has moved to /etc/audit and > > > that "enable_krb5 = yes" option has been superseded by "transport = > > > > KRB5". > > > > > I have created a patch [2] that fixes the rule, OVAL, etc. > > > > Yes. This is in preparation for a TLS option since setting up a kerberos > > server is a large task. > > > > > However, it turned out that 'transport' option can be set also in > > > /etc/audit/auditd.conf. > > > > This would be for the aggregating server rather than the remote client > > that > > is sending. Both sides have to agree on what transport will be used. > > > > > It's not clear to me if we should check > > > /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both. > > > > On the remote system, check /etc/audit/audisp-remote.conf and on the > > server > > check /etc/audit/auditd.conf. Note that all audit configuration is now > > consolidated under /etc/audit/. Also, the server should have some other > > things enabled that should not be enabled on clients such as > > krb5_principal, > > krb5_key_file, transport, tcp_listen_port, and tcp_listen_queue. On all > > systems you would want to check settings for: > > > > local_events = yes > > log_format = enriched > > flush = INCREMENTAL_ASYNC > > name_format = hostname > > > > on remote client systems, you should check: > > remote_server = > > port = 60 > > transport = krb5 > > mode = forward > > queue_depth = 10240 (or larger) > > format = managed > > krb5_principal = > > krb5_client_name = auditd > > krb5_key_file = /etc/audit/audisp-remote.key > > > > -Steve > > > > > Which of the 2 configuration files is correct to configure > > > authentication > > > and encryption for remote logging? Does each of the files mean a > > > > different > > > > > thing? > > > > > > Thank you. > > > > > > Regards > > > > > > [1] > > > > https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/sy > > s > > > > tem/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_ > > re> > > > cords/rule.yml [2] > > > https://github.com/ComplianceAsCode/content/pull/3619 > > > > > > Jan Černý > > > Security Technologies | Red Hat, Inc. > > > > _______________________________________________ > > scap-security-guide mailing list -- > > [email protected] > > To unsubscribe send an email to > > [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > dorahosted.org _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
