Title

The SUSE operating system audit event multiplexor must be configured to use Kerberos. (Cat III impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.

Check Content

Determine if the SUSE operating system audit event multiplexor is configured to use Kerberos by running the following command: > sudo grep transport /etc/audit/audisp-remote.conf transport = krb5 If "transport" is not set to "krb5", or is commented out, this is a finding.

Fix Text

Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the "/etc/audit/audisp-remote.conf" file. Edit or add the following line to match the text below: transport = krb5

Additional Identifiers

Rule ID: SV-234967r1009567_rule

Vulnerability ID: V-234967

Group Title: SRG-OS-000342-GPOS-00133

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.