Discussion:
audit log's server
Levin Stanislav
2018-10-04 14:14:17 UTC
Permalink
Hello.

I try to use auditd as a server to gather logs from remote clients.

1) My conditions:

/rpm -q audit//
//audit-2.8.4/

/uname -r//
//4.9.124/

/ipv6 is disable/


2) Problem's symptom:

after every reboot of server machine i have

/from journalctl:/

/auditd[765]: Cannot create tcp listener socket
systemd[1]: auditd.service: Control process exited, code=exited status=1
auditd[764]: Cannot daemonize (Success)
systemd[1]: auditd.service: Failed with result 'exit-code'.
auditd[764]: The audit daemon is exiting.
systemd[1]: Failed to start Security Auditing Service./

//ss -lntp -o ' sport = 60 '//

////State     Recv-Q      Send-Q             Local
Address:Port             Peer Address:Port//


Later, on system boot, the service can be started manually without error.


3) Workarounds:

a) systemd

The header of auditd.service tells:

## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.

But this leads to circular dependencies in systemd, because auditd says:
"Before=sysinit.target", and network-online.target has not direct
"After=sysinit.target".

Systemd just skips auditd from boot in this case.

Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.


b) ipv4 and ipv6

I've added some debug messages into auditd to see what happens.

Actually ipv6 module is disabled, but in this moment 'getaddrinfo'
within 'auditd_tcp_listen_init' returns both structures - AF_INET and
AF_INET6.

While auditd attempts to create AF_INET6 socket (skipping AF_INET) there
is an error message: "/Cannot create tcp listener socket/", errno
/EAFNOSUPPORT./

No chances to start./
/


After system boot there is AF_INET only.

I have attached the patch if one needs.


Could somebody suggest a proper solution to my problem?

Thank you in advance!
Steve Grubb
2018-10-04 15:56:27 UTC
Permalink
Hello,
Post by Levin Stanislav
I try to use auditd as a server to gather logs from remote clients.
/rpm -q audit//
//audit-2.8.4/
/uname -r//
//4.9.124/
/ipv6 is disable/
OK. Out of curiosity, what did you do to disable it?
Post by Levin Stanislav
after every reboot of server machine i have
/from journalctl:/
/auditd[765]: Cannot create tcp listener socket
I added a commit just now to at least say what address family this is.
Post by Levin Stanislav
systemd[1]: auditd.service: Control process exited, code=exited status=1
auditd[764]: Cannot daemonize (Success)
systemd[1]: auditd.service: Failed with result 'exit-code'.
auditd[764]: The audit daemon is exiting.
systemd[1]: Failed to start Security Auditing Service./
//ss -lntp -o ' sport = 60 '//
////State Recv-Q Send-Q Local
Address:Port Peer Address:Port//
Later, on system boot, the service can be started manually without error.
a) systemd
## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
"Before=sysinit.target", and network-online.target has not direct
"After=sysinit.target".
Systemd just skips auditd from boot in this case.
This note was changed in git about 2 months ago.
https://github.com/linux-audit/audit-userspace/blob/master/init.d/
auditd.service

## If auditd is sending or recieving remote logging, copy this file to
## /etc/systemd/system/auditd.service and comment out the first After and
## uncomment the second so that network-online.target is part of After.
## then comment the first Before and uncomment the second Before to remove
## sysinit.target from "Before".
After=local-fs.target systemd-tmpfiles-setup.service
##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target
##Before=shutdown.target
Post by Levin Stanislav
Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.
b) ipv4 and ipv6
I've added some debug messages into auditd to see what happens.
Actually ipv6 module is disabled, but in this moment 'getaddrinfo'
within 'auditd_tcp_listen_init' returns both structures - AF_INET and
AF_INET6.
It's not supposed to do that based on the discussion of AI_ADDRCONFIG in the
getaddrinfo man page.
Post by Levin Stanislav
While auditd attempts to create AF_INET6 socket (skipping AF_INET) there
is an error message: "/Cannot create tcp listener socket/", errno
/EAFNOSUPPORT./
No chances to start./
/
After system boot there is AF_INET only.
OK. So, then that seems to indicate that the system starts with IPv6 and then
disables it later. Does booting using the new systemd instructions help?

Thanks,
-Steve
Post by Levin Stanislav
I have attached the patch if one needs.
Could somebody suggest a proper solution to my problem?
Thank you in advance!
Levin Stanislav
2018-10-05 07:56:47 UTC
Permalink
Hello, thank you for a quick answer.
Post by Steve Grubb
Hello,
Post by Levin Stanislav
I try to use auditd as a server to gather logs from remote clients.
/rpm -q audit//
//audit-2.8.4/
/uname -r//
//4.9.124/
/ipv6 is disable/
OK. Out of curiosity, what did you do to disable it?
The approach is different to distros i checked.
For example, fedora 28 - pass ipv6.disable=1 within grub cmdline;
for altlinux - use blacklist ipv6
and so on.

The same problem is here.
Post by Steve Grubb
Post by Levin Stanislav
after every reboot of server machine i have
/from journalctl:/
/auditd[765]: Cannot create tcp listener socket
I added a commit just now to at least say what address family this is.
It's very good to see an exact error, no?
Post by Steve Grubb
Post by Levin Stanislav
systemd[1]: auditd.service: Control process exited, code=exited status=1
auditd[764]: Cannot daemonize (Success)
systemd[1]: auditd.service: Failed with result 'exit-code'.
auditd[764]: The audit daemon is exiting.
systemd[1]: Failed to start Security Auditing Service./
//ss -lntp -o ' sport = 60 '//
////State Recv-Q Send-Q Local
Address:Port Peer Address:Port//
Later, on system boot, the service can be started manually without error.
a) systemd
## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
"Before=sysinit.target", and network-online.target has not direct
"After=sysinit.target".
Systemd just skips auditd from boot in this case.
This note was changed in git about 2 months ago.
https://github.com/linux-audit/audit-userspace/blob/master/init.d/
auditd.service
## If auditd is sending or recieving remote logging, copy this file to
## /etc/systemd/system/auditd.service and comment out the first After and
## uncomment the second so that network-online.target is part of After.
## then comment the first Before and uncomment the second Before to remove
## sysinit.target from "Before".
After=local-fs.target systemd-tmpfiles-setup.service
##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target
##Before=shutdown.target
What is the reason to have a dependency on sysinit.target at non-server
mode and not to have the same at server one?
Post by Steve Grubb
Post by Levin Stanislav
Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.
b) ipv4 and ipv6
I've added some debug messages into auditd to see what happens.
Actually ipv6 module is disabled, but in this moment 'getaddrinfo'
within 'auditd_tcp_listen_init' returns both structures - AF_INET and
AF_INET6.
It's not supposed to do that based on the discussion of AI_ADDRCONFIG in the
getaddrinfo man page.
Yes, it is. But actually at some boot point - ipv4 and ipv6, another one
- ipv4.
Post by Steve Grubb
Post by Levin Stanislav
While auditd attempts to create AF_INET6 socket (skipping AF_INET) there
is an error message: "/Cannot create tcp listener socket/", errno
/EAFNOSUPPORT./
No chances to start./
/
After system boot there is AF_INET only.
OK. So, then that seems to indicate that the system starts with IPv6 and then
disables it later. Does booting using the new systemd instructions help?
Thanks,
-Steve
Yes, of course it helps :)
But if one just can use as is, I mean without additional service
configuration, it is convenient, isn't it?

Thank you very much!
Post by Steve Grubb
Post by Levin Stanislav
I have attached the patch if one needs.
Could somebody suggest a proper solution to my problem?
Thank you in advance!
Continue reading on narkive:
Loading...