Hi Steve / Audit List ; I have this issue because Ubuntu has disabled support for listener in their distribution !!
On a blog I found that Debian has not disabled it but the Ubuntu distribution has. I found this when I ran auditd in foreground with -f option. Listener support is not enabled, ignoring value at line 25 tcp_listen_queue_parser called with: 5 Listener support is not enabled, ignoring value at line 26 tcp_max_per_addr_parser called with: 1 Listener support is not enabled, ignoring value at line 27 tcp_listen_queue_parser called with: 1024-65535 Listener support is not enabled, ignoring value at line 28 tcp_client_max_idle_parser called with: 0 Steve, I then went to source site ( https://people.redhat.com/sgrubb/audit/ ) and downloaded a zip from there. I am doing a install using below config command : it fails with python-packages dependency. ./configure --prefix=/usr/local --sbindir=/usr/local/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes ............ ............. ............. checking for python platform... linux2 checking for python script directory... ${prefix}/lib/python2.7/dist-packages checking for python extension module directory... ${exec_prefix}/lib/python2.7/dist-packages configure: error: Python explicitly requested and python headers were not found root@guslogs:/usr/src/audit-2.7.8# Please can you tell me which dependent packages I need to download and configure apart from python? (with a source link would help). I see on the site that you have included - "Improved Remote Logging" in the Roadmap :) Appreciate it and anticipating it ! In the meanwhile I am also thinking of requesting Ubuntu for adding this support - not sure why they did this, what is their logic behind this. I hereby request if you can do something from your end to discuss with Ubuntu maintenars to enable this - as there is a HUGE Linux support base out there using that distro. Thanks! Best Regards, Rituraj B On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <[email protected]> wrote: > On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: > > Hi Steve, > > > > I did check IPtables and I am not having any rules in there. I have > allowed > > the connections in /etc/hosts.allow. But then I do not see auditd > listening > > on port 60. > > It just shows "ESSTABLISHED" connection on the aggregating server - which > > is itself! > > You should not enable audisp-remote on the aggregating server. Auditd > handles > incoming connections itself. > > -Steve > > > root@guslogs:/etc/audit# lsof -i :60 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> > > 192.168.103.7:60 (ESTABLISHED) > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# netstat -pan | grep 60 > > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN > > 1260/sshd > > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 > > ESTABLISHED 2146/audisp-remote > > tcp6 0 0 :::22 :::* > LISTEN > > 1260/sshd > > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 > > /tmp/ssh-h0brbTMA4a/agent.1925 > > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd > > > > unix 2 [ ] DGRAM 17760 1897/systemd > > > > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd > > > > unix 2 [ ] DGRAM 20360 2136/auditd > > > > unix 3 [ ] STREAM CONNECTED 13260 1/init > > /run/systemd/journal/stdout > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# netstat -tanp | grep auditd > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# cat /etc/hosts.allow > > # /etc/hosts.allow: list of hosts that are allowed to access the system. > > # See the manual pages hosts_access(5) and > > hosts_options(5). > > # > > # Example: ALL: LOCAL @some_netgroup > > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu > > # > > # If you're going to protect the portmapper use the name "rpcbind" for > the > > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. > > # > > > > ALL: ALL > > root@guslogs:/etc/audit# > > > > > > Best Regards, > > Rituraj B > > > > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <[email protected]> wrote: > > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: > > > > P > > > > lease see inline- > > > > > > > > regards > > > > > > > > > > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <[email protected]> > wrote: > > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar > wrote: > > > > > > Hi > > > > > > > > > > > > I tried my best to configure the audisp-remote. > > > > > > I am getting below error on the client machine in > /var/log/syslog. > > > > > > > > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to > > > > > > 192.168.103.7: > > > > > > Connection refused > > > > > > > > > > On the server, what do you get for: > > > > > > > > > > ausearch --start recent -m DAEMON_ACCEPT -i > > > > > > > > > > The server side records some information about why it did not > allow a > > > > > connection. > > > > > > > > I dont see any info in here. > > > > > > > > # ausearch --start recent -m DAEMON_ACCEPT -i > > > > <no matches> > > > > > > Then its not connecting at all. Maybe your firewall is blocking it. > Maybe > > > selinux is blocking it? Once auditd sees its socket is readable, it > calls > > > accept(2) and there is no path through the code that doesn't log an > event > > > with > > > a reason. Every possible failure logs a distinct reason why the > connection > > > failed. > > > > > > > I tried without --start & -i options as well. > > > > > > --start today if you didn't connect within 10 minutes of running the > > > command. > > > > > > > But when I do a tcpdump on central server, I do see requests coming > in. > > > > > > (I > > > > > > > changed port to 60). > > > > # tcpdump -i eth1 '( port 60 )' > > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076269451, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 4076269452, win 0, length 0 > > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076287474, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 18024, win 0, length 0 > > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076300652, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 31202, win 0, length 0 > > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076306151, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > > > > > I think the service is only listening locally and not for remote > > > > connections? > > > > > > It opens a socket on all addresses. > > > # netstat -tanp | grep auditd > > > tcp 0 0 0.0.0.0:60 0.0.0.0:* > LISTEN > > > 893/auditd > > > > > > > root@logs:/etc/audit# lsof -i :60 > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60 > -> > > > > 192.168.103.7:60 (ESTABLISHED) > > > > > > > > > > > > How do I see that I am using libwrap? > > > > > > It should have a config line in auditd.conf. If you do not, it > defaults to > > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. > > > Odds > > > are you put nothing there and the connection proceeds. If I were to > guess, > > > I'd > > > say iptables is blocking your connection. > > > > > > > I have enable_krb5=no in the > > > > auditd.conf on the aggregative server. > > > > > > Good. Cause doing a krb5 connection without setting that up will cause > it > > > to > > > fail also. I'd bet on iptables being the problem. > > > > > > -Steve > > > > > > > > > 192.168.103.7 is the IP address of the central log server. > > > > > > > > > > > > Notes: My settings are below: > > > > > > > > > > > > on server as well on client: > > > > > > /etc/audisp/audisp-remote > > > > > > > > > > > > remote_server = 192.168.103.7 > > > > > > port = 6999 > > > > > > local_port = 6999 > > > > > > transport = tcp > > > > > > queue_file = /var/spool/audit/remote.log > > > > > > mode = immediate > > > > > > queue_depth = 2048 > > > > > > format = ascii > > > > > > network_retry_time = 100 > > > > > > > > > > This is probably not your problem but managed is the normal setting > > > > > for > > > > > format. And do you have enable_krb5 set to no? > > > > > > > > > > > I have enabled name_format=HOSTNAME only in one place (in > > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > > > > > > > > > entries in auditd.conf: > > > > > > > > > > > > rtcp_listen_port = 6999 > > > > > > tcp_listen_queue = 5 > > > > > > tcp_max_per_addr = 10 > > > > > > tcp_client_ports = 0-65535 > > > > > > tcp_client_max_idle = 0 > > > > > > > > > > What do you have for use_libwrap and enable_krb5? > > > > > > > > > > The ausearcn info from the aggregating server should tell the > reason > > > > > > why > > > > > > > > the > > > > > connection is rejected. > > > > > > > > > > -Steve > > > > > > > > > > > I see the server is listening on the port 6999 as below but its > not > > > > > > accepting client request. > > > > > > root@logs:/etc# lsof -i :6999 > > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP > > > > > > 192.168.103.7:6999 > > > > > > > > -> > > > > > > > > > > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > > > > > > > > > > > > > > > > > Best Regards, > > > > > > Rituraj B > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
