On Fri, Nov 23, 2018 at 8:00 AM Jan Cerny <[email protected]> wrote: > We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. > It checks that enable_krb5 = yes is set in /etc/audisp/audisp-remote.conf. > We have found that it doesn't work anymore on Fedora 29 and RHEL 8.
Just out of curiosity, did anyone ever get this working under *RHEL7*, let alone RHEL8? The bitter irony is that even if you *are* a Kerberos shop (e.g., we have full LDAP+Kerberos integration with Microsoft Active Directory via sssd and gssproxy), configuring auditd for Kerberos is still a complicated kabuki dance. I attempted to wrap audisp-remote with gssproxy, but that doesn't disable audisp-remote's checking the characteristics of the key file. Even after I set up everything properly (or so I thought), audit forwarding worked only intermittently. I was going to file a "MAKE THIS WORK DAMMIT" Red Hat support case, but once I stumbled across this bug, I ran shrieking from Kerberized audit forwarding: https://bugzilla.redhat.com/show_bug.cgi?id=1622194 The only explanation why a memory leak like that could persist for years in the code is because *no one* is using Kerberized audit record forwarding. With all due respects to Steve Grubb, how many other critical bugs (potentially security-related) are lurking in the Kerberized audit forwarding code that have never been found, simply because only people who have to care about the RHEL7 STIG even know that audisp-remote has Kerberized audit record forwarding capabilities, let alone have attempted to enable it? "Services that provide core security features" and "extremely infrequently-used code paths" aren't two great tastes that taste great together, unfortunately. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
