Kerberos encrypted remote audit log
Jan Horstmann
J.Horstmann at mittwald.de
Thu Jun 1 15:54:41 UTC 2017
Hello,
I'm trying to set up a kerberos encrypted remote audit log using auditd and audisp-remote. The problem seems to be that audisp-remote assumes a kerberos principal of the form "auditd/hostname at REALM"
instead of "auditd/fqdn at REALM". The man page states under "krb5_client_name" that "[...] the remainder of the principal will consist of the host's fully qualified domain name and the default
kerberos realm, like this: auditd/host14.example.com at EXAMPLE.COM [...]". Is there any way to make audisp-remote use the fqdn form because our freeIPA is setup to do so and I'm not sure if that can be
changed at all.
The errors I'm getting on the listening daemon are: "auditd[16836]: TCP session from [IP:PORT] will be closed, error ignored"
On the audisp-remote end: "audisp-remote[34614]: krb5 error: Keytab contains no suitable keys for [auditd/hostname at REALM] in krb5_get_init_creds_keytab" and "audispd[34520]: plugin /sbin/audisp-remote
terminated unexpectedly". The auditd and audisp-remote version is 2.4.5.
It seems to me that freeIPA has struggled with this before at some point:
https://www.redhat.com/archives/freeipa-users/2014-August/msg00079.html
Any input would be much appreciated.
Regards,
Jan Horstmann
More information about the Linux-audit
mailing list