Audisp-remote.conf vs auditd.conf

Latest response

The recent STIGs for RHEL7 say to edit etc/audisp/Audisp-remote.conf for options like "disk_full_action" and "enable_krb5".
Is there a difference between adding the options to Audisp-remote.conf versus /etc/audit/auditd.conf, especially when auditd.conf already has dispatcher = /sbin/audispd?

thanks!

Responses

Hi Josh,

Not to be master of the obvious here... We use the ones recommended by the STIGs with no loss of function. If you decide to use something other than what either OpenSCAP or the DISA STIG checker hunts for, be prepared to explain compliance and function to those who will come and evaluate your agency. Of course, STIGS are not just used by government agencies, banks and many other non-government entities use STIGs as well. So then the question is how do you provide an answer for compliance if some security entity within your organization asks. If you can demonstrate proper function for the intent easily, then you can probably configure it in the way that is not checked by OpenSCAP or the DISA STIG check methods. The question is what effort you'll have to explain to either a known or unknown security representative, or visiting person.

Wish you well

Regards

RJ

Thanks, I appreciate your response. It sounds like the files include some overlap in a few of their options. I'll have to run some tests to see if one overrides the other.

regards, Joshua

auditd.conf is has to know dispatcher = /sbin/audispd as auditd on the server receiving the logs starts the audispd daemon. the ports being used by audisp tcp_listen_port = 60 and which ports the clients will use tcp_client_ports = 60 semanage already has port 60 setup for audit_port_t to access it just have to add the firewall rule.

if you plan on using the enable_krb5 = yes then you must have a key file. create a principle using ipa service-add auditd/ for each client and server and then you can use the ipa-getkeytab –s -p audit/ -k .keytab for the auditd server /etc/audit/audit.key for the audispd clients it should be /etc/audisp/audisp-remote.key there should be better documentation for this service but I have to look at every where to just get audisp clients to sent their logs on rhel7.

I wish you luck