Re: audisp-remote with krb5

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, April 17, 2019 9:01:56 AM EDT Ray Shaw wrote:
> I've been struggling to set up audisp-remote with krb5 enabled, and also
> struggling to find much information/guidance regarding it.

A knowledge base article has been written to help describe how to do this:
https://access.redhat.com/articles/3975971
Unfortunately, you have to login to see it. So, it's really not suitable for 
general public consumption. And it is specific to the RHEL provided kerberos. 
But maybe there are some hints there if you can access it.


> I'm trying to get this working on RHEL7 due to organizational
> requirements.  Based on the man pages, I created a key file on the server:
> 
> addprinc -randkey auditd/server.example.com
> ktadd -k /home/me/audit.key auditd/server.example.com
> 
> then placed this (root:root 0400) in /etc/audit and set the following:
> 
> enable_krb5 = yes
> krb5_principal = auditd
> krb5_key_file = /etc/audit/audit.key
> 
> For the client:
> 
> addprinc -randkey auditd/client.example.com
> ktadd -k /home/me/audisp-remote.key auditd/client.example.com
> 
> then placed this (root:root 0400) in /etc/audisp and set the following:
> 
> enable_krb5 = yes
> krb5_principal = auditd/server.example.com
> krb5_client_name = auditd
> krb5_key_file = /etc/audisp/audisp-remote.key
> 
> I'm getting this message over and over again on the client:
> 
> Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
> Success
> Apr 17 08:21:07 client audisp-remote: kerberos principal: auditd/
> client.example.com@REALM.COM
> Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
> Invalid token was supplied
> 
> and this on the server:
> 
> Apr 17 08:56:53 server auditd[134051]: GSS-API error: event length excedes
> MAX_AUDIT_LENGTH
> Apr 17 08:56:53 server auditd[134051]: TCP session from ::ffff:<client
> IP>:44354 will be closed, error ignored
> 
> (sorry about having to mask the actual hostnames/IPs/etc.)
> 
> Any idea what I'm doing wrong? 

I personally do not work with that code. It was contributed and I don't have 
a krb setup to test against.

> Based on what I've found online, it seems
> most people don't use krb5, but unfortunately I'm now required to try.

If you have access to 2.8.5, I'd really suggest using that as it fixes bz 
1622194 - which is a big  problem for kerberos use.

> We've been using audisp for years, and it works fine with krb5 disabled.
> I'm...pretty sure my Kerberos realm is fine, since that's what we use for
> authentication (gdm, SSH, etc.)  Though it is not the RHEL-provided
> Kerberos.
> 
> Any assistance would be greatly appreciated.

There may be others that can chime in here.

-Steve