Hi Steve,
Thank you very much for clarification.
Regards
Jan Černý Security Technologies | Red Hat, Inc.
----- Original Message -----
From: "Steve Grubb" sgrubb@redhat.com To: "Jan Cerny" jcerny@redhat.com Cc: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Friday, November 23, 2018 4:28:52 PM Subject: Re: Audit 3.0 and SCAP rule "Encrypt Audit Records Sent With audispd Plugin"
On Friday, November 23, 2018 8:00:17 AM EST Jan Cerny wrote:
Hi,
We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1]. It checks that enable_krb5 = yes is set in /etc/audisp/audisp-remote.conf. We have found that it doesn't work anymore on Fedora 29 and RHEL 8.
I have found that the audisp-remote.conf has moved to /etc/audit and that "enable_krb5 = yes" option has been superseded by "transport = KRB5". I have created a patch [2] that fixes the rule, OVAL, etc.
Yes. This is in preparation for a TLS option since setting up a kerberos server is a large task.
However, it turned out that 'transport' option can be set also in /etc/audit/auditd.conf.
This would be for the aggregating server rather than the remote client that is sending. Both sides have to agree on what transport will be used.
It's not clear to me if we should check /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both.
On the remote system, check /etc/audit/audisp-remote.conf and on the server check /etc/audit/auditd.conf. Note that all audit configuration is now consolidated under /etc/audit/. Also, the server should have some other things enabled that should not be enabled on clients such as krb5_principal, krb5_key_file, transport, tcp_listen_port, and tcp_listen_queue. On all systems you would want to check settings for:
local_events = yes log_format = enriched flush = INCREMENTAL_ASYNC name_format = hostname
on remote client systems, you should check: remote_server = port = 60 transport = krb5 mode = forward queue_depth = 10240 (or larger) format = managed krb5_principal = krb5_client_name = auditd krb5_key_file = /etc/audit/audisp-remote.key
-Steve
Which of the 2 configuration files is correct to configure authentication and encryption for remote logging? Does each of the files mean a different thing?
Thank you.
Regards
[1] https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/sys tem/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_re cords/rule.yml [2] https://github.com/ComplianceAsCode/content/pull/3619
Jan Černý Security Technologies | Red Hat, Inc.