Kerberos encrypted remote audit log

Thursday, 1 June 2017

Hello,
I'm trying to set up a kerberos encrypted remote audit log using auditd and
audisp-remote. The problem seems to be that audisp-remote assumes a kerberos principal of
the form "auditd/hostname@REALM"
instead of "auditd/fqdn@REALM". The man page states under
"krb5_client_name" that "[...] the remainder of the principal will consist
of  the  host's  fully qualified  domain  name  and  the default
kerberos realm, like this: auditd/host14.example.com@EXAMPLE.COM  [...]". Is there
any way to make audisp-remote use the fqdn form because our freeIPA is setup to do so and
I'm not sure if that can be
changed at all.
The errors I'm getting on the listening daemon are: "auditd[16836]: TCP session
from [IP:PORT] will be closed, error ignored"
On the audisp-remote end: "audisp-remote[34614]: krb5 error: Keytab contains no
suitable keys for [auditd/hostname@REALM] in krb5_get_init_creds_keytab" and
"audispd[34520]: plugin /sbin/audisp-remote 
terminated unexpectedly". The auditd and audisp-remote version is 2.4.5.
It seems to me that freeIPA has struggled with this before at some point:
https://www.redhat.com/archives/freeipa-users/2014-August/msg00079.html

Any input would be much appreciated.
Regards,
Jan Horstmann

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Kerberos encrypted remote audit log