Hi Ray, I just checked audit-remote with KRB5 and it works for me. Let me share my configuration for comparison and maybe it will help you spot an error.
SERVER: auditd.conf: enable_krb5 =yes krb5_principal = auditd krb5_key_file = /etc/auditd.keytab' kadmin.local -q "addprinc -randkey auditd/<SERVER_HOSTNAME>" kadmin.local -q "ktadd -k /etc/auditd.keytab auditd/<SERVER_HOSTNAME>" chmod 0400 /etc/auditd.keytab CLIENT: audisp-remote.conf: enable_krb5 =yes krb5_principal = auditd/<SERVER_HOSTNAME> krb5_client_name = auditd krb5_key_file = /etc/auditd.keytab' kadmin -w <SECRET> -q "addprinc -randkey auditd/<CLIENT_HOSTNAME>" kadmin -w <SERVER> -q "ktadd -k /etc/auditd.keytab auditd/<CLIENT_HOSTNAME>" chmod 0400 /etc/auditd.keytab Also, selinux has some issues when using audit remote logging with kerberos. You need to turn off enforcing mode, try logging and use generated AVCs to create selinux module resolving issues. When auditd is started on CLIENT, it is correctly connected and remote logging works. Apr 25 06:45:53 ... systemd[1]: Starting Security Auditing Service... Apr 25 06:45:53 ... auditd[20561]: Started dispatcher: /sbin/audispd pid: 20563 Apr 25 06:45:53 ... audispd[20563]: audispd initialized with q_depth=250 and 1 active plugins Apr 25 06:45:53 ... audisp-remote[20564]: Audisp-remote started with queue_size: 0 Apr 25 06:45:53 ... audisp-remote[20564]: kerberos principal: auditd/<CLIENT_HOSTNAME>@TEST.ABC.COM Apr 25 06:45:53 ... audisp-remote[20564]: Connected to <SERVER_HOSTNAME> Apr 25 06:45:53 ... auditd[20561]: Init complete, auditd 2.8.5 listening for events (startup state enable) Isn't there something specific to your KRB5 configuration? What are versions of audit and kerberos? On Wed, Apr 17, 2019 at 3:03 PM Ray Shaw <[email protected]> wrote: > > I've been struggling to set up audisp-remote with krb5 enabled, and also > struggling to find much information/guidance regarding it. > > I'm trying to get this working on RHEL7 due to organizational requirements. > Based on the man pages, I created a key file on the server: > > addprinc -randkey auditd/server.example.com > ktadd -k /home/me/audit.key auditd/server.example.com > > then placed this (root:root 0400) in /etc/audit and set the following: > > enable_krb5 = yes > krb5_principal = auditd > krb5_key_file = /etc/audit/audit.key > > For the client: > > addprinc -randkey auditd/client.example.com > ktadd -k /home/me/audisp-remote.key auditd/client.example.com > > then placed this (root:root 0400) in /etc/audisp and set the following: > > enable_krb5 = yes > krb5_principal = auditd/server.example.com > krb5_client_name = auditd > krb5_key_file = /etc/audisp/audisp-remote.key > > I'm getting this message over and over again on the client: > > Apr 17 08:21:07 client audisp-remote: GSS error: initializing context: Success > Apr 17 08:21:07 client audisp-remote: kerberos principal: > auditd/[email protected] > Apr 17 08:21:07 client audisp-remote: GSS error: initializing context: > Invalid token was supplied > > and this on the server: > > Apr 17 08:56:53 server auditd[134051]: GSS-API error: event length excedes > MAX_AUDIT_LENGTH > Apr 17 08:56:53 server auditd[134051]: TCP session from ::ffff:<client > IP>:44354 will be closed, error ignored > > (sorry about having to mask the actual hostnames/IPs/etc.) > > Any idea what I'm doing wrong? Based on what I've found online, it seems > most people don't use krb5, but unfortunately I'm now required to try. We've > been using audisp for years, and it works fine with krb5 disabled. > I'm...pretty sure my Kerberos realm is fine, since that's what we use for > authentication (gdm, SSH, etc.) Though it is not the RHEL-provided Kerberos. > > Any assistance would be greatly appreciated. > > --Ray > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
