Levin Stanislav
2018-10-04 14:14:17 UTC
Hello.
I try to use auditd as a server to gather logs from remote clients.
1) My conditions:
/rpm -q audit//
//audit-2.8.4/
/uname -r//
//4.9.124/
/ipv6 is disable/
2) Problem's symptom:
after every reboot of server machine i have
/from journalctl:/
/auditd[765]: Cannot create tcp listener socket
systemd[1]: auditd.service: Control process exited, code=exited status=1
auditd[764]: Cannot daemonize (Success)
systemd[1]: auditd.service: Failed with result 'exit-code'.
auditd[764]: The audit daemon is exiting.
systemd[1]: Failed to start Security Auditing Service./
//ss -lntp -o ' sport = 60 '//
////State    Recv-Q     Send-Q            Local
Address:Port            Peer Address:Port//
Later, on system boot, the service can be started manually without error.
3) Workarounds:
a) systemd
The header of auditd.service tells:
## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
But this leads to circular dependencies in systemd, because auditd says:
"Before=sysinit.target", and network-online.target has not direct
"After=sysinit.target".
Systemd just skips auditd from boot in this case.
Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.
b) ipv4 and ipv6
I've added some debug messages into auditd to see what happens.
Actually ipv6 module is disabled, but in this moment 'getaddrinfo'
within 'auditd_tcp_listen_init' returns both structures - AF_INET and
AF_INET6.
While auditd attempts to create AF_INET6 socket (skipping AF_INET) there
is an error message: "/Cannot create tcp listener socket/", errno
/EAFNOSUPPORT./
No chances to start./
/
After system boot there is AF_INET only.
I have attached the patch if one needs.
Could somebody suggest a proper solution to my problem?
Thank you in advance!
I try to use auditd as a server to gather logs from remote clients.
1) My conditions:
/rpm -q audit//
//audit-2.8.4/
/uname -r//
//4.9.124/
/ipv6 is disable/
2) Problem's symptom:
after every reboot of server machine i have
/from journalctl:/
/auditd[765]: Cannot create tcp listener socket
systemd[1]: auditd.service: Control process exited, code=exited status=1
auditd[764]: Cannot daemonize (Success)
systemd[1]: auditd.service: Failed with result 'exit-code'.
auditd[764]: The audit daemon is exiting.
systemd[1]: Failed to start Security Auditing Service./
//ss -lntp -o ' sport = 60 '//
////State    Recv-Q     Send-Q            Local
Address:Port            Peer Address:Port//
Later, on system boot, the service can be started manually without error.
3) Workarounds:
a) systemd
The header of auditd.service tells:
## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
But this leads to circular dependencies in systemd, because auditd says:
"Before=sysinit.target", and network-online.target has not direct
"After=sysinit.target".
Systemd just skips auditd from boot in this case.
Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.
b) ipv4 and ipv6
I've added some debug messages into auditd to see what happens.
Actually ipv6 module is disabled, but in this moment 'getaddrinfo'
within 'auditd_tcp_listen_init' returns both structures - AF_INET and
AF_INET6.
While auditd attempts to create AF_INET6 socket (skipping AF_INET) there
is an error message: "/Cannot create tcp listener socket/", errno
/EAFNOSUPPORT./
No chances to start./
/
After system boot there is AF_INET only.
I have attached the patch if one needs.
Could somebody suggest a proper solution to my problem?
Thank you in advance!