Personally, I just shoved it into syslog and let it encrypt from there with an 'offload prior to local' rule.
I get that audit logs are important but the main syslog subsystem is much more likely to be monitored and processed in an enterprise environment (wherever it goes) than a different one-off subsystem with independent logging. Trevor On Mon, Nov 26, 2018 at 8:42 AM Steve Grubb <[email protected]> wrote: > On Monday, November 26, 2018 8:29:18 AM EST Trevor Vaughan wrote: > > Glad to hear that TLS is on its way. Any chance of it being back-ported > for > > universal consistency? > > No chance because of the changes to the config files in a shipped product. > I > rushed these changes into place before RHEL 8 ships so that it can be > delivered later. > > > > I don't mind KRB, but I don't see any server guidance in the SSG so it's > > been...interesting...to get propagated effectively and, of course, there > is > > the battle of AD vs IPA vs MIT etc... > > Yep. Hopefully TLS will work better for people with small to medium > setups. I > have also heard of people using libreswan to make a vpn connection to a > server. To me, that also sounds complicated. > > -Steve > > > On Fri, Nov 23, 2018 at 10:29 AM Steve Grubb <[email protected]> wrote: > > > On Friday, November 23, 2018 8:00:17 AM EST Jan Cerny wrote: > > > > Hi, > > > > > > > > We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. > > > > It checks that enable_krb5 = yes is set in > > > > > > /etc/audisp/audisp-remote.conf. > > > > > > > We have found that it doesn't work anymore on Fedora 29 and RHEL 8. > > > > > > > > I have found that the audisp-remote.conf has moved to /etc/audit and > > > > that "enable_krb5 = yes" option has been superseded by "transport = > > > > > > KRB5". > > > > > > > I have created a patch [2] that fixes the rule, OVAL, etc. > > > > > > Yes. This is in preparation for a TLS option since setting up a > kerberos > > > server is a large task. > > > > > > > However, it turned out that 'transport' option can be set also in > > > > /etc/audit/auditd.conf. > > > > > > This would be for the aggregating server rather than the remote client > > > that > > > is sending. Both sides have to agree on what transport will be used. > > > > > > > It's not clear to me if we should check > > > > /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both. > > > > > > On the remote system, check /etc/audit/audisp-remote.conf and on the > > > server > > > check /etc/audit/auditd.conf. Note that all audit configuration is now > > > consolidated under /etc/audit/. Also, the server should have some other > > > things enabled that should not be enabled on clients such as > > > krb5_principal, > > > krb5_key_file, transport, tcp_listen_port, and tcp_listen_queue. On all > > > systems you would want to check settings for: > > > > > > local_events = yes > > > log_format = enriched > > > flush = INCREMENTAL_ASYNC > > > name_format = hostname > > > > > > on remote client systems, you should check: > > > remote_server = > > > port = 60 > > > transport = krb5 > > > mode = forward > > > queue_depth = 10240 (or larger) > > > format = managed > > > krb5_principal = > > > krb5_client_name = auditd > > > krb5_key_file = /etc/audit/audisp-remote.key > > > > > > -Steve > > > > > > > Which of the 2 configuration files is correct to configure > > > > authentication > > > > and encryption for remote logging? Does each of the files mean a > > > > > > different > > > > > > > thing? > > > > > > > > Thank you. > > > > > > > > Regards > > > > > > > > [1] > > > > > > > https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/sy > > > s > > > > > > > tem/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_ > > > re> > > > > cords/rule.yml [2] > > > > https://github.com/ComplianceAsCode/content/pull/3619 > > > > > > > > Jan Černý > > > > Security Technologies | Red Hat, Inc. > > > > > > _______________________________________________ > > > scap-security-guide mailing list -- > > > [email protected] > > > To unsubscribe send an email to > > > [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > dorahosted.org > > > > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
