Audisp-remote.conf vs auditd.conf

Latest response

The recent STIGs for RHEL7 say to edit etc/audisp/Audisp-remote.conf for options like "disk_full_action" and "enable_krb5".
Is there a difference between adding the options to Audisp-remote.conf versus /etc/audit/auditd.conf, especially when auditd.conf already has dispatcher = /sbin/audispd?

thanks!

Responses

Hi Josh,

Not to be master of the obvious here... We use the ones recommended by the STIGs with no loss of function. If you decide to use something other than what either OpenSCAP or the DISA STIG checker hunts for, be prepared to explain compliance and function to those who will come and evaluate your agency. Of course, STIGS are not just used by government agencies, banks and many other non-government entities use STIGs as well. So then the question is how do you provide an answer for compliance if some security entity within your organization asks. If you can demonstrate proper function for the intent easily, then you can probably configure it in the way that is not checked by OpenSCAP or the DISA STIG check methods. The question is what effort you'll have to explain to either a known or unknown security representative, or visiting person.

Wish you well

Regards

RJ

Thanks, I appreciate your response. It sounds like the files include some overlap in a few of their options. I'll have to run some tests to see if one overrides the other.

regards, Joshua