On Monday, November 26, 2018 8:29:18 AM EST Trevor Vaughan wrote:
Glad to hear that TLS is on its way. Any chance of it being
back-ported for
universal consistency?
No chance because of the changes to the config files in a shipped product. I
rushed these changes into place before RHEL 8 ships so that it can be
delivered later.
I don't mind KRB, but I don't see any server guidance in the
SSG so it's
been...interesting...to get propagated effectively and, of course, there is
the battle of AD vs IPA vs MIT etc...
Yep. Hopefully TLS will work better for people with small to medium setups. I
have also heard of people using libreswan to make a vpn connection to a
server. To me, that also sounds complicated.
-Steve
On Fri, Nov 23, 2018 at 10:29 AM Steve Grubb
<sgrubb(a)redhat.com> wrote:
> On Friday, November 23, 2018 8:00:17 AM EST Jan Cerny wrote:
> > Hi,
> >
> > We have a rule 'Encrypt Audit Records Sent With audispd Plugin' [1].
> > It checks that enable_krb5 = yes is set in
>
> /etc/audisp/audisp-remote.conf.
>
> > We have found that it doesn't work anymore on Fedora 29 and RHEL 8.
> >
> > I have found that the audisp-remote.conf has moved to /etc/audit and
> > that "enable_krb5 = yes" option has been superseded by
"transport =
>
> KRB5".
>
> > I have created a patch [2] that fixes the rule, OVAL, etc.
>
> Yes. This is in preparation for a TLS option since setting up a kerberos
> server is a large task.
>
> > However, it turned out that 'transport' option can be set also in
> > /etc/audit/auditd.conf.
>
> This would be for the aggregating server rather than the remote client
> that
> is sending. Both sides have to agree on what transport will be used.
>
> > It's not clear to me if we should check
> > /etc/audisp/audisp-remote.conf or /etc/audit/auditd.conf or both.
>
> On the remote system, check /etc/audit/audisp-remote.conf and on the
> server
> check /etc/audit/auditd.conf. Note that all audit configuration is now
> consolidated under /etc/audit/. Also, the server should have some other
> things enabled that should not be enabled on clients such as
> krb5_principal,
> krb5_key_file, transport, tcp_listen_port, and tcp_listen_queue. On all
> systems you would want to check settings for:
>
> local_events = yes
> log_format = enriched
> flush = INCREMENTAL_ASYNC
> name_format = hostname
>
> on remote client systems, you should check:
> remote_server =
> port = 60
> transport = krb5
> mode = forward
> queue_depth = 10240 (or larger)
> format = managed
> krb5_principal =
> krb5_client_name = auditd
> krb5_key_file = /etc/audit/audisp-remote.key
>
> -Steve
>
> > Which of the 2 configuration files is correct to configure
> > authentication
> > and encryption for remote logging? Does each of the files mean a
>
> different
>
> > thing?
> >
> > Thank you.
> >
> > Regards
> >
> > [1]
>
>
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/sy
> s
>
> tem/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_
> re>
> > cords/rule.yml [2]
> >
https://github.com/ComplianceAsCode/content/pull/3619
> >
> > Jan Černý
> > Security Technologies | Red Hat, Inc.
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe
>
dorahosted.org