Audisp-remote - connection refused.

Tue Oct 3 12:58:42 UTC 2017

Steve,  I should have attached my config in previous mail:

Here is the config on the aggregating server. (I see tcp_listen_port in
auditd.conf and then there is mention of local port & port in
audisp-remote.conf as well)
I do not see auditd listening on port 60 as per my previous mail. (netstat
output)

root at guslogs:/etc/audit# cat auditd.conf
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 10
tcp_client_ports = 0-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
use_libwrap = no
##krb5_key_file = /etc/audit/audit.key
root at guslogs:/etc/audit# cat ../audisp/audisp-remote.conf
#
# This file controls the configuration of the audit remote
# logging subsystem, audisp-remote.
#

remote_server = 192.168.103.7
port = 60
local_port = 60
transport = tcp
queue_file = /var/spool/audit/remote.log
mode = immediate
queue_depth = 2048
format = ascii
network_retry_time = 100
max_tries_per_record = 3
max_time_per_record = 5
heartbeat_timeout = 0

network_failure_action = stop
disk_low_action = ignore
disk_full_action = ignore
disk_error_action = syslog
remote_ending_action = reconnect
generic_error_action = syslog
generic_warning_action = syslog
overflow_action = syslog
##enable_krb5 = no
##krb5_principal =
##krb5_client_name = auditd
##krb5_key_file = /etc/audisp/audisp-remote.key

Best Regards,
Rituraj B

On Tue, Oct 3, 2017 at 6:22 PM, Rituraj Buddhisagar <rituraj at vayana.com>
wrote:

> Hi Steve,
>
> I did check IPtables and I am not having any rules in there. I have
> allowed the connections in /etc/hosts.allow. But then I do not see auditd
> listening on port 60.
> It just shows "ESSTABLISHED" connection on the aggregating server - which
> is itself!
>
> root at guslogs:/etc/audit# lsof -i :60
> COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> root at guslogs:/etc/audit#
> root at guslogs:/etc/audit# netstat -pan | grep 60
> tcp        0      0 0.0.0.0:22              0.0.0.0:*
> LISTEN      1260/sshd
> tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
>  ESTABLISHED 2146/audisp-remote
> tcp6       0      0 :::22                   :::*                    LISTEN
>      1260/sshd
> unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
>      /tmp/ssh-h0brbTMA4a/agent.1925
> unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd
>
> unix  2      [ ]         DGRAM                    17760    1897/systemd
>
> unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd
>
> unix  2      [ ]         DGRAM                    20360    2136/auditd
>
> unix  3      [ ]         STREAM     CONNECTED     13260    1/init
>      /run/systemd/journal/stdout
> root at guslogs:/etc/audit#
> root at guslogs:/etc/audit# netstat -tanp | grep auditd
> root at guslogs:/etc/audit#
> root at guslogs:/etc/audit# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> root at guslogs:/etc/audit#
> root at guslogs:/etc/audit# cat /etc/hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> #                   See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:    ALL: LOCAL @some_netgroup
> #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpcbind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
> #
>
> ALL: ALL
> root at guslogs:/etc/audit#
>
>
> Best Regards,
> Rituraj B
>
>
> On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>
>> On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
>> > P
>> > lease see inline-
>> >
>> > regards
>> > 
>> >
>> > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>> > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
>> > > > Hi
>> > > >
>> > > > I tried my best to configure the audisp-remote.
>> > > > I am getting below error on the client machine in /var/log/syslog.
>> > > >
>> > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
>> 192.168.103.7:
>> > > > Connection refused
>> > >
>> > > On the server, what do you get for:
>> > >
>> > > ausearch --start recent -m DAEMON_ACCEPT -i
>> > >
>> > > The server side records some information about why it did not allow a
>> > > connection.
>> >
>> > I dont see any info in here.
>> >
>> > # ausearch --start recent -m DAEMON_ACCEPT -i
>> > <no matches>
>>
>> Then its not connecting at all. Maybe your firewall is blocking it. Maybe
>> selinux is blocking it? Once auditd sees its socket is readable, it calls
>> accept(2) and there is no path through the code that doesn't log an event
>> with
>> a reason. Every possible failure logs a distinct reason why the connection
>> failed.
>>
>>
>> > I tried without --start & -i options as well.
>>
>> --start today if you didn't connect within 10 minutes of running the
>> command.
>>
>>
>> > But when I do a tcpdump on central server, I do see requests coming in.
>> (I
>> > changed port to 60).
>> > # tcpdump -i eth1 '( port 60 )'
>> > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076269451,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
>> > 4076269452, win 0, length 0
>> > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076287474,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
>> > 18024, win 0, length 0
>> > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076300652,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
>> > 31202, win 0, length 0
>> > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
>> 4076306151,
>> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
>> > length 0
>> >
>> > I think the service is only listening locally and not for remote
>> > connections?
>>
>> It opens a socket on all addresses.
>> # netstat -tanp | grep auditd
>> tcp        0      0 0.0.0.0:60              0.0.0.0:*
>>  LISTEN
>> 893/auditd
>>
>> > root at logs:/etc/audit# lsof -i :60
>> > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60->
>> > 192.168.103.7:60 (ESTABLISHED)
>> >
>> >
>> > How do I see that I am using libwrap?
>>
>> It should have a config line in auditd.conf. If you do not, it defaults to
>> yes. That means it looks in /etc/hosts.allow and hosts.deny to decide.
>> Odds
>> are you put nothing there and the connection proceeds. If I were to
>> guess, I'd
>> say iptables is blocking your connection.
>>
>> > I have enable_krb5=no in the
>> > auditd.conf on the aggregative server.
>>
>> Good. Cause doing a krb5 connection without setting that up will cause it
>> to
>> fail also. I'd bet on iptables being the problem.
>>
>> -Steve
>>
>>
>> > > > 192.168.103.7 is the IP address of the central log server.
>> > > >
>> > > > Notes: My settings are below:
>> > > >
>> > > > on server as well on client:
>> > > > /etc/audisp/audisp-remote
>> > > >
>> > > > remote_server = 192.168.103.7
>> > > > port = 6999
>> > > > local_port = 6999
>> > > > transport = tcp
>> > > > queue_file = /var/spool/audit/remote.log
>> > > > mode = immediate
>> > > > queue_depth = 2048
>> > > > format = ascii
>> > > > network_retry_time = 100
>> > >
>> > > This is probably not your problem but managed is the normal setting
>> for
>> > > format. And do you have enable_krb5 set to no?
>> > >
>> > > > I have enabled name_format=HOSTNAME only in one place (in
>> > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>> > > >
>> > > > entries in auditd.conf:
>> > > >
>> > > > rtcp_listen_port = 6999
>> > > > tcp_listen_queue = 5
>> > > > tcp_max_per_addr = 10
>> > > > tcp_client_ports = 0-65535
>> > > > tcp_client_max_idle = 0
>> > >
>> > > What do you have for use_libwrap and enable_krb5?
>> > >
>> > > The ausearcn info from the aggregating server should tell the reason
>> why
>> > > the
>> > > connection is rejected.
>> > >
>> > > -Steve
>> > >
>> > > > I see the server is listening on the port 6999 as below but its not
>> > > > accepting client request.
>> > > > root at logs:/etc# lsof -i :6999
>> > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
>> 192.168.103.7:6999
>> > >
>> > > ->
>> > >
>> > > > 192.168.103.7:6999 (ESTABLISHED)
>> > > >
>> > > >
>> > > >
>> > > > Best Regards,
>> > > > Rituraj B
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171003/778008a9/attachment.htm>