audit log's server

Levin Stanislav slev at basealt.ru
Fri Oct 5 07:56:47 UTC 2018 

Hello, thank you for a quick answer.


04.10.2018 18:56, Steve Grubb пишет:
> Hello,
>
> On Thursday, October 4, 2018 10:14:17 AM EDT Levin Stanislav wrote:
>> I try to use auditd as a server to gather logs from remote clients.
>>
>> 1) My conditions:
>>
>> /rpm -q audit//
>> //audit-2.8.4/
>>
>> /uname -r//
>> //4.9.124/
>>
>> /ipv6 is disable/
> OK. Out of curiosity, what did you do to disable it?

The approach is different to distros i checked.
For example, fedora 28 - pass ipv6.disable=1 within grub cmdline;
for altlinux - use blacklist ipv6
and so on.

The same problem is here.


>
>
>> 2) Problem's symptom:
>>
>> after every reboot of server machine i have
>>
>> /from journalctl:/
>>
>> /auditd[765]: Cannot create tcp listener socket
> I added a commit just now to at least say what address family this is.

It's very good to see an exact error, no?

>
>> systemd[1]: auditd.service: Control process exited, code=exited status=1
>> auditd[764]: Cannot daemonize (Success)
>> systemd[1]: auditd.service: Failed with result 'exit-code'.
>> auditd[764]: The audit daemon is exiting.
>> systemd[1]: Failed to start Security Auditing Service./
>>
>> //ss -lntp -o ' sport = 60 '//
>>
>> ////State     Recv-Q      Send-Q             Local
>> Address:Port             Peer Address:Port//
>>
>> Later, on system boot, the service can be started manually without error.
>>
>> 3) Workarounds:
>>
>> a) systemd
>>
>> The header of auditd.service tells:
>>
>> ## If auditd.conf has tcp_listen_port enabled, copy this file to
>> ## /etc/systemd/system/auditd.service and add network-online.target
>> ## to the next line so it waits for the network to start before launching.
>>
>> But this leads to circular dependencies in systemd, because auditd says:
>> "Before=sysinit.target", and network-online.target has not direct
>> "After=sysinit.target".
>>
>> Systemd just skips auditd from boot in this case.
> This note was changed in git about 2 months ago.
> https://github.com/linux-audit/audit-userspace/blob/master/init.d/
> auditd.service
>
> ## If auditd is sending or recieving remote logging, copy this file to
> ## /etc/systemd/system/auditd.service and comment out the first After and
> ## uncomment the second so that network-online.target is part of After.
> ## then comment the first Before and uncomment the second Before to remove
> ## sysinit.target from "Before".
> After=local-fs.target systemd-tmpfiles-setup.service
> ##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
> Before=sysinit.target shutdown.target
> ##Before=shutdown.target

What is the reason to have a dependency on sysinit.target at non-server
mode and not to have the same at server one?

>
>> Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.
>>
>>
>> b) ipv4 and ipv6
>>
>> I've added some debug messages into auditd to see what happens.
>>
>> Actually ipv6 module is disabled, but in this moment 'getaddrinfo'
>> within 'auditd_tcp_listen_init' returns both structures - AF_INET and
>> AF_INET6.
> It's not supposed to do that based on the discussion of AI_ADDRCONFIG in the 
> getaddrinfo man page.

Yes, it is. But actually at some boot point - ipv4 and ipv6, another one
- ipv4.

>
>> While auditd attempts to create AF_INET6 socket (skipping AF_INET) there
>> is an error message: "/Cannot create tcp listener socket/", errno
>> /EAFNOSUPPORT./
>>
>> No chances to start./
>> /
>>
>>
>> After system boot there is AF_INET only.
> OK. So, then that seems to indicate that the system starts with IPv6 and then 
> disables it later. Does booting using the new systemd instructions help?
>
> Thanks,
> -Steve

Yes, of course it helps :)
But if one just can use as is, I mean without additional service
configuration, it is convenient, isn't it?

Thank you very much!

>  
>
>> I have attached the patch if one needs.
>>
>> Could somebody suggest a proper solution to my problem?
>>
>> Thank you in advance!
>
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20181005/0b163da9/attachment.sig>

More information about the Linux-audit mailing list