Bug 476009

Summary: Unknown keyword "enable_krb5" in line 25 of /etc/audisp/audisp-remote.conf
Product: Red Hat Enterprise Linux 5 Reporter: Eduard Benes <ebenes>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: high    
Version: 5.3CC: ldolihal, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:57:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch attempting to fix the problem none

Description Eduard Benes 2008-12-11 15:24:21 UTC 
Description of problem:
When client side configured for remote logging and changing only option 'remote_server',  plugin /sbin/audisp-remote terminates after (re)start of auditd service with message:

 'Unknown keyword "enable_krb5" in line 25 of /etc/audisp/audisp-remote.conf'

Option "enable_krb5" is present in the config by default. So in order to get the remote logging work, it has to be commented out.

Version-Release number of selected component (if applicable):
audit-1.7.7-5.el5
audispd-plugins-1.7.7-5.el5

How reproducible:

Steps to Reproduce:
1. Configure one system so server as server for remote logging.
2. Configure other system as client with changing only option 'remote_server' and leaving enable_krb5 option untouched. 
3. Restart auditd service on client. 
  
Actual results:
No messages loggen on the server. Client side /var/log/messages contains:
<snip>
...
Dec 11 10:07:08 nec-em15 auditd[22508]: Started dispatcher: /sbin/audispd pid: 22510
Dec 11 10:07:08 nec-em15 audispd: af_unix plugin initialized
Dec 11 10:07:08 nec-em15 audispd: audispd initialized with q_depth=80 and 2 active plugins
Dec 11 10:07:08 nec-em15 audisp-remote: Unknown keyword "enable_krb5" in line 25 of /etc/audisp/audisp-remote.conf
Dec 11 10:07:08 nec-em15 kernel: type=1305 audit(1229008028.287:208): audit_pid=22508 old=0 by auid=0 subj=root:system_r:auditd_t:s0
</snip>

Expected results:
Keyword "enable_krb5" should be recognised or at least commented out.

Additional info:
Kerberos support is disabled in this package version.
Comment 1 Steve Grubb 2008-12-11 15:32:44 UTC 
The easy fix for this is to comment out the krb5 options in the config file. I have a more extensive fix checked into upstream svn, but commenting out the config options is the simplest way to fix the problem.
Comment 2 Steve Grubb 2008-12-11 15:41:15 UTC 
Created attachment 326631 [details]
Patch attempting to fix the problem

This is the proposed fix. It simply comments out a couple config options.

A more extensive fix is here:

https://fedorahosted.org/audit/changeset/204

but I think we want the conservative fix for now.
Comment 5 Steve Grubb 2008-12-11 17:03:49 UTC 
audit-1.7.7-6.el5 was built to solve this problem.
Comment 9 errata-xmlrpc 2009-01-20 21:57:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0199.html