audit log's server

Levin Stanislav slev at basealt.ru
Thu Oct 4 14:14:17 UTC 2018 

Hello.

I try to use auditd as a server to gather logs from remote clients.

1) My conditions:

/rpm -q audit//
//audit-2.8.4/

/uname -r//
//4.9.124/

/ipv6 is disable/


2) Problem's symptom:

after every reboot of server machine i have

/from journalctl:/

/auditd[765]: Cannot create tcp listener socket
systemd[1]: auditd.service: Control process exited, code=exited status=1
auditd[764]: Cannot daemonize (Success)
systemd[1]: auditd.service: Failed with result 'exit-code'.
auditd[764]: The audit daemon is exiting.
systemd[1]: Failed to start Security Auditing Service./

//ss -lntp -o ' sport = 60 '//

////State     Recv-Q      Send-Q             Local
Address:Port             Peer Address:Port//


Later, on system boot, the service can be started manually without error.


3) Workarounds:

a) systemd

The header of auditd.service tells:

## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.

But this leads to circular dependencies in systemd, because auditd says:
"Before=sysinit.target", and network-online.target has not direct
"After=sysinit.target".

Systemd just skips auditd from boot in this case.

Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.


b) ipv4 and ipv6

I've added some debug messages into auditd to see what happens.

Actually ipv6 module is disabled, but in this moment 'getaddrinfo'
within 'auditd_tcp_listen_init' returns both structures - AF_INET and
AF_INET6.

While auditd attempts to create AF_INET6 socket (skipping AF_INET) there
is an error message: "/Cannot create tcp listener socket/", errno
/EAFNOSUPPORT./

No chances to start./
/


After system boot there is AF_INET only.

I have attached the patch if one needs.


Could somebody suggest a proper solution to my problem?

Thank you in advance!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20181004/e56b89aa/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auditd-checkipv6.patch
Type: text/x-patch
Size: 1843 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20181004/e56b89aa/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20181004/e56b89aa/attachment.sig>

More information about the Linux-audit mailing list