Bug 1730382

Summary: transport=KRB5 does not work
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: unspecified    
Version: ---CC: fedoraproject
Target Milestone: rc   
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
.Audit `transport=KRB5` now works properly Prior to this update, Audit KRB5 transport mode did not work correctly. Consequently, Audit remote logging using the Kerberos peer authentication did not work. With this update, the problem has been fixed, and Audit remote logging now works properly in the described scenario.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:28:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2019-07-16 14:54:17 UTC 
This bug was created for RHEL-8.1 Beta documentation purposes only. 

Description of problem:

On RHEL-8.1 Beta, KRB5 transport mode, ie. audit-remote logging using KRB5, is not working properly. Connection between server and client is not established and audit events are not sent from client to server.

Version-Release number of selected component (if applicable):

audit-3.0-0.11.20190507gitf58ec40.el8

How reproducible:

100%

Steps to Reproduce:

1. Setup audit remote logging using KRB5 transport mode
2. Log from client.

Actual results:

Connection between server and client is not established. Client's audit events are not propagated to server.

Expected results:

Connection works, authentication is done using KRB5. Client's audit events are propagated to server.

Additional info:

 * There is no workaround. 
 * This bug was created for RHEL-8.1 Beta documentation purposes only. 
 * Described issue is already fixed in audit-3.0-0.12.20190507gitf58ec40.el8.

This bug should be left in NEW state and I will close it as CLOSED CURRENTRELEASE later.
Comment 1 Steve Grubb 2019-08-09 12:58:28 UTC 
The code was already fixed. Adding this to the errata.
Comment 3 Ondrej Moriš 2019-08-12 11:24:25 UTC 
(In reply to Ondrej Moriš from comment #0)
> This bug was created for RHEL-8.1 Beta documentation purposes only. 
>
> ...
>
> Additional info:
> 
>  * This bug was created for RHEL-8.1 Beta documentation purposes only. 
>  * Described issue is already fixed in audit-3.0-0.12.20190507gitf58ec40.el8.
> 
> This bug should be left in NEW state and I will close it as CLOSED
> CURRENTRELEASE later.

In the end we decided to add this bug to RHEL-8.1.0 errata for audit. Issue was fixed via rebase bug.

This bug is successfully verified on all supported architectures, see TC#553604 in TR#364923 for more detail. Please notice that there is a bug in selinux policy [1] causing AVC issues on remote logging server (workaround is to use permissive mode). 

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1740146
Comment 6 errata-xmlrpc 2019-11-05 22:28:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3622