Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* audisp-remote with krb5
@ 2019-04-17 13:01 Ray Shaw
  2019-04-17 14:19 ` Steve Grubb
  2019-04-25 11:01 ` Ondrej Moris
  0 siblings, 2 replies; 3+ messages in thread
From: Ray Shaw @ 2019-04-17 13:01 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1899 bytes --]

I've been struggling to set up audisp-remote with krb5 enabled, and also
struggling to find much information/guidance regarding it.

I'm trying to get this working on RHEL7 due to organizational
requirements.  Based on the man pages, I created a key file on the server:

addprinc -randkey auditd/server.example.com
ktadd -k /home/me/audit.key auditd/server.example.com

then placed this (root:root 0400) in /etc/audit and set the following:

enable_krb5 = yes
krb5_principal = auditd
krb5_key_file = /etc/audit/audit.key

For the client:

addprinc -randkey auditd/client.example.com
ktadd -k /home/me/audisp-remote.key auditd/client.example.com

then placed this (root:root 0400) in /etc/audisp and set the following:

enable_krb5 = yes
krb5_principal = auditd/server.example.com
krb5_client_name = auditd
krb5_key_file = /etc/audisp/audisp-remote.key

I'm getting this message over and over again on the client:

Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
Success
Apr 17 08:21:07 client audisp-remote: kerberos principal: auditd/
client.example.com@REALM.COM
Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
Invalid token was supplied

and this on the server:

Apr 17 08:56:53 server auditd[134051]: GSS-API error: event length excedes
MAX_AUDIT_LENGTH
Apr 17 08:56:53 server auditd[134051]: TCP session from ::ffff:<client
IP>:44354 will be closed, error ignored

(sorry about having to mask the actual hostnames/IPs/etc.)

Any idea what I'm doing wrong?  Based on what I've found online, it seems
most people don't use krb5, but unfortunately I'm now required to try.
We've been using audisp for years, and it works fine with krb5 disabled.
I'm...pretty sure my Kerberos realm is fine, since that's what we use for
authentication (gdm, SSH, etc.)  Though it is not the RHEL-provided
Kerberos.

Any assistance would be greatly appreciated.

--Ray

[-- Attachment #1.2: Type: text/html, Size: 2707 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: audisp-remote with krb5
  2019-04-17 13:01 audisp-remote with krb5 Ray Shaw
@ 2019-04-17 14:19 ` Steve Grubb
  2019-04-25 11:01 ` Ondrej Moris
  1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2019-04-17 14:19 UTC (permalink / raw)
  To: linux-audit

On Wednesday, April 17, 2019 9:01:56 AM EDT Ray Shaw wrote:
> I've been struggling to set up audisp-remote with krb5 enabled, and also
> struggling to find much information/guidance regarding it.

A knowledge base article has been written to help describe how to do this:
https://access.redhat.com/articles/3975971
Unfortunately, you have to login to see it. So, it's really not suitable for 
general public consumption. And it is specific to the RHEL provided kerberos. 
But maybe there are some hints there if you can access it.


> I'm trying to get this working on RHEL7 due to organizational
> requirements.  Based on the man pages, I created a key file on the server:
> 
> addprinc -randkey auditd/server.example.com
> ktadd -k /home/me/audit.key auditd/server.example.com
> 
> then placed this (root:root 0400) in /etc/audit and set the following:
> 
> enable_krb5 = yes
> krb5_principal = auditd
> krb5_key_file = /etc/audit/audit.key
> 
> For the client:
> 
> addprinc -randkey auditd/client.example.com
> ktadd -k /home/me/audisp-remote.key auditd/client.example.com
> 
> then placed this (root:root 0400) in /etc/audisp and set the following:
> 
> enable_krb5 = yes
> krb5_principal = auditd/server.example.com
> krb5_client_name = auditd
> krb5_key_file = /etc/audisp/audisp-remote.key
> 
> I'm getting this message over and over again on the client:
> 
> Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
> Success
> Apr 17 08:21:07 client audisp-remote: kerberos principal: auditd/
> client.example.com@REALM.COM
> Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
> Invalid token was supplied
> 
> and this on the server:
> 
> Apr 17 08:56:53 server auditd[134051]: GSS-API error: event length excedes
> MAX_AUDIT_LENGTH
> Apr 17 08:56:53 server auditd[134051]: TCP session from ::ffff:<client
> IP>:44354 will be closed, error ignored
> 
> (sorry about having to mask the actual hostnames/IPs/etc.)
> 
> Any idea what I'm doing wrong? 

I personally do not work with that code. It was contributed and I don't have 
a krb setup to test against.

> Based on what I've found online, it seems
> most people don't use krb5, but unfortunately I'm now required to try.

If you have access to 2.8.5, I'd really suggest using that as it fixes bz 
1622194 - which is a big  problem for kerberos use.

> We've been using audisp for years, and it works fine with krb5 disabled.
> I'm...pretty sure my Kerberos realm is fine, since that's what we use for
> authentication (gdm, SSH, etc.)  Though it is not the RHEL-provided
> Kerberos.
> 
> Any assistance would be greatly appreciated.

There may be others that can chime in here.

-Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: audisp-remote with krb5
  2019-04-17 13:01 audisp-remote with krb5 Ray Shaw
  2019-04-17 14:19 ` Steve Grubb
@ 2019-04-25 11:01 ` Ondrej Moris
  1 sibling, 0 replies; 3+ messages in thread
From: Ondrej Moris @ 2019-04-25 11:01 UTC (permalink / raw)
  To: Ray Shaw; +Cc: linux-audit

Hi Ray,

I just checked audit-remote with KRB5 and it works for me. Let me
share my configuration for comparison and maybe it will help you spot
an error.

SERVER: auditd.conf:
enable_krb5 =yes
krb5_principal = auditd
krb5_key_file = /etc/auditd.keytab'

kadmin.local -q "addprinc -randkey auditd/<SERVER_HOSTNAME>"
kadmin.local -q "ktadd -k /etc/auditd.keytab auditd/<SERVER_HOSTNAME>"
chmod 0400 /etc/auditd.keytab

CLIENT: audisp-remote.conf:

enable_krb5 =yes
krb5_principal = auditd/<SERVER_HOSTNAME>
krb5_client_name = auditd
krb5_key_file = /etc/auditd.keytab'

kadmin -w <SECRET> -q "addprinc -randkey auditd/<CLIENT_HOSTNAME>"
kadmin -w <SERVER> -q "ktadd -k /etc/auditd.keytab auditd/<CLIENT_HOSTNAME>"
chmod 0400 /etc/auditd.keytab

Also, selinux has some issues when using audit remote logging with
kerberos. You need to turn off enforcing mode, try logging and use
generated AVCs to create selinux module resolving issues.

When auditd is started on CLIENT, it is correctly connected and remote
logging works.

Apr 25 06:45:53 ... systemd[1]: Starting Security Auditing Service...
Apr 25 06:45:53 ... auditd[20561]: Started dispatcher: /sbin/audispd pid: 20563
Apr 25 06:45:53 ... audispd[20563]: audispd initialized with
q_depth=250 and 1 active plugins
Apr 25 06:45:53 ... audisp-remote[20564]: Audisp-remote started with
queue_size: 0
Apr 25 06:45:53 ... audisp-remote[20564]: kerberos principal:
auditd/<CLIENT_HOSTNAME>@TEST.ABC.COM
Apr 25 06:45:53 ... audisp-remote[20564]: Connected to <SERVER_HOSTNAME>
Apr 25 06:45:53 ... auditd[20561]: Init complete, auditd 2.8.5
listening for events (startup state enable)

Isn't there something specific to your KRB5 configuration? What are
versions of audit and kerberos?

On Wed, Apr 17, 2019 at 3:03 PM Ray Shaw <ray.v.shaw@gmail.com> wrote:
>
> I've been struggling to set up audisp-remote with krb5 enabled, and also struggling to find much information/guidance regarding it.
>
> I'm trying to get this working on RHEL7 due to organizational requirements.  Based on the man pages, I created a key file on the server:
>
> addprinc -randkey auditd/server.example.com
> ktadd -k /home/me/audit.key auditd/server.example.com
>
> then placed this (root:root 0400) in /etc/audit and set the following:
>
> enable_krb5 = yes
> krb5_principal = auditd
> krb5_key_file = /etc/audit/audit.key
>
> For the client:
>
> addprinc -randkey auditd/client.example.com
> ktadd -k /home/me/audisp-remote.key auditd/client.example.com
>
> then placed this (root:root 0400) in /etc/audisp and set the following:
>
> enable_krb5 = yes
> krb5_principal = auditd/server.example.com
> krb5_client_name = auditd
> krb5_key_file = /etc/audisp/audisp-remote.key
>
> I'm getting this message over and over again on the client:
>
> Apr 17 08:21:07 client audisp-remote: GSS error: initializing context: Success
> Apr 17 08:21:07 client audisp-remote: kerberos principal: auditd/client.example.com@REALM.COM
> Apr 17 08:21:07 client audisp-remote: GSS error: initializing context: Invalid token was supplied
>
> and this on the server:
>
> Apr 17 08:56:53 server auditd[134051]: GSS-API error: event length excedes MAX_AUDIT_LENGTH
> Apr 17 08:56:53 server auditd[134051]: TCP session from ::ffff:<client IP>:44354 will be closed, error ignored
>
> (sorry about having to mask the actual hostnames/IPs/etc.)
>
> Any idea what I'm doing wrong?  Based on what I've found online, it seems most people don't use krb5, but unfortunately I'm now required to try.  We've been using audisp for years, and it works fine with krb5 disabled.  I'm...pretty sure my Kerberos realm is fine, since that's what we use for authentication (gdm, SSH, etc.)  Though it is not the RHEL-provided Kerberos.
>
> Any assistance would be greatly appreciated.
>
> --Ray
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-25 11:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-17 13:01 audisp-remote with krb5 Ray Shaw
2019-04-17 14:19 ` Steve Grubb
2019-04-25 11:01 ` Ondrej Moris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox