SLEM 5 audit event multiplexor must be configured to use Kerberos.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-261421	SRG-OS-000342-GPOS-00133	SLEM-05-653065	SV-261421r996672_rule	2024-06-04	1

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.

ℹ️ Check
Determine if SLEM 5 audit event multiplexor is configured to use Kerberos by running the following command: > sudo grep enable_krb5 /etc/audisp/audisp-remote.conf enable_krb5 = yes If "enable_krb5" is not set to "yes", or is commented out, this is a finding.

✔️ Fix
Configure SLEM 5 audit event multiplexor to use Kerberos. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: enable_krb5 = yes