Steve, Here is the relevant discussion on disabling the tcp listener on Ubuntu. https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html
I do not know what exactly caused change - but now I think it should be enabled in distributions. Please let me know. Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source now. Still audispd is not started now - what is the way / sequence to start auditd and audispd - if you can point me to some reference or a startup script will help. Thanks! On Wed, Oct 4, 2017 at 12:38 AM, Rituraj Buddhisagar <[email protected]> wrote: > Sorry if this seems like a spamming, but after I sent the earlier mail - I > did install from source successfully with only --prefix=/usr/local > > I am now facing issue like the below: > > root@guslogs:/etc/init.d# /usr/local/sbin/auditd > /usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd: > undefined symbol: auparse_destroy_ext > > If someone can point me to a clean and easy install with dependencies from > source it would help. > > Steve, please see my previous mail regarding Ubuntu. Thanks a lot for help! > > > > Best Regards, > Rituraj B > > > On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Buddhisagar <[email protected]> > wrote: > >> Hi Steve / Audit List ; >> >> I have this issue because Ubuntu has disabled support for listener in >> their distribution !! >> >> On a blog I found that Debian has not disabled it but the Ubuntu >> distribution has. >> >> I found this when I ran auditd in foreground with -f option. >> >> Listener support is not enabled, ignoring value at line 25 >> tcp_listen_queue_parser called with: 5 >> Listener support is not enabled, ignoring value at line 26 >> tcp_max_per_addr_parser called with: 1 >> Listener support is not enabled, ignoring value at line 27 >> tcp_listen_queue_parser called with: 1024-65535 >> Listener support is not enabled, ignoring value at line 28 >> tcp_client_max_idle_parser called with: 0 >> >> >> Steve, I then went to source site ( https://people.redhat.com/sgru >> bb/audit/ ) and downloaded a zip from there. >> >> I am doing a install using below config command : it fails with >> python-packages dependency. >> ./configure --prefix=/usr/local --sbindir=/usr/local/sbin >> --with-python=yes --with-libwrap --enable-gssapi-krb5=yes >> --with-libcap-ng=yes >> ............ >> ............. >> ............. >> >> checking for python platform... linux2 >> checking for python script directory... ${prefix}/lib/python2.7/dist-p >> ackages >> checking for python extension module directory... >> ${exec_prefix}/lib/python2.7/dist-packages >> configure: error: Python explicitly requested and python headers were not >> found >> root@guslogs:/usr/src/audit-2.7.8# >> >> >> Please can you tell me which dependent packages I need to download and >> configure apart from python? (with a source link would help). >> >> >> I see on the site that you have included - "Improved Remote Logging" in >> the Roadmap :) Appreciate it and anticipating it ! >> >> In the meanwhile I am also thinking of requesting Ubuntu for adding this >> support - not sure why they did this, what is their logic behind this. I >> hereby request if you can do something from your end to discuss with Ubuntu >> maintenars to enable this - as there is a HUGE Linux support base out there >> using that distro. >> >> Thanks! >> >> >> >> >> >> >> Best Regards, >> Rituraj B >> >> >> On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <[email protected]> wrote: >> >>> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: >>> > Hi Steve, >>> > >>> > I did check IPtables and I am not having any rules in there. I have >>> allowed >>> > the connections in /etc/hosts.allow. But then I do not see auditd >>> listening >>> > on port 60. >>> > It just shows "ESSTABLISHED" connection on the aggregating server - >>> which >>> > is itself! >>> >>> You should not enable audisp-remote on the aggregating server. Auditd >>> handles >>> incoming connections itself. >>> >>> -Steve >>> >>> > root@guslogs:/etc/audit# lsof -i :60 >>> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60 >>> -> >>> > 192.168.103.7:60 (ESTABLISHED) >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# netstat -pan | grep 60 >>> > tcp 0 0 0.0.0.0:22 0.0.0.0:* >>> LISTEN >>> > 1260/sshd >>> > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 >>> > ESTABLISHED 2146/audisp-remote >>> > tcp6 0 0 :::22 :::* >>> LISTEN >>> > 1260/sshd >>> > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 >>> > /tmp/ssh-h0brbTMA4a/agent.1925 >>> > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd >>> > >>> > unix 2 [ ] DGRAM 17760 1897/systemd >>> > >>> > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd >>> > >>> > unix 2 [ ] DGRAM 20360 2136/auditd >>> > >>> > unix 3 [ ] STREAM CONNECTED 13260 1/init >>> > /run/systemd/journal/stdout >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# netstat -tanp | grep auditd >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# iptables -L >>> > Chain INPUT (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain FORWARD (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain OUTPUT (policy ACCEPT) >>> > target prot opt source destination >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# cat /etc/hosts.allow >>> > # /etc/hosts.allow: list of hosts that are allowed to access the >>> system. >>> > # See the manual pages hosts_access(5) and >>> > hosts_options(5). >>> > # >>> > # Example: ALL: LOCAL @some_netgroup >>> > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu >>> > # >>> > # If you're going to protect the portmapper use the name "rpcbind" for >>> the >>> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further >>> information. >>> > # >>> > >>> > ALL: ALL >>> > root@guslogs:/etc/audit# >>> > >>> > >>> > Best Regards, >>> > Rituraj B >>> > >>> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <[email protected]> wrote: >>> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: >>> > > > P >>> > > > lease see inline- >>> > > > >>> > > > regards >>> > > > >>> > > > >>> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <[email protected]> >>> wrote: >>> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar >>> wrote: >>> > > > > > Hi >>> > > > > > >>> > > > > > I tried my best to configure the audisp-remote. >>> > > > > > I am getting below error on the client machine in >>> /var/log/syslog. >>> > > > > > >>> > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to >>> > > >>> > > 192.168.103.7: >>> > > > > > Connection refused >>> > > > > >>> > > > > On the server, what do you get for: >>> > > > > >>> > > > > ausearch --start recent -m DAEMON_ACCEPT -i >>> > > > > >>> > > > > The server side records some information about why it did not >>> allow a >>> > > > > connection. >>> > > > >>> > > > I dont see any info in here. >>> > > > >>> > > > # ausearch --start recent -m DAEMON_ACCEPT -i >>> > > > <no matches> >>> > > >>> > > Then its not connecting at all. Maybe your firewall is blocking it. >>> Maybe >>> > > selinux is blocking it? Once auditd sees its socket is readable, it >>> calls >>> > > accept(2) and there is no path through the code that doesn't log an >>> event >>> > > with >>> > > a reason. Every possible failure logs a distinct reason why the >>> connection >>> > > failed. >>> > > >>> > > > I tried without --start & -i options as well. >>> > > >>> > > --start today if you didn't connect within 10 minutes of running the >>> > > command. >>> > > >>> > > > But when I do a tcpdump on central server, I do see requests >>> coming in. >>> > > >>> > > (I >>> > > >>> > > > changed port to 60). >>> > > > # tcpdump -i eth1 '( port 60 )' >>> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076269451, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >>> ack >>> > > > 4076269452, win 0, length 0 >>> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076287474, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >>> ack >>> > > > 18024, win 0, length 0 >>> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076300652, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >>> ack >>> > > > 31202, win 0, length 0 >>> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076306151, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >>> 7], >>> > > > length 0 >>> > > > >>> > > > I think the service is only listening locally and not for remote >>> > > > connections? >>> > > >>> > > It opens a socket on all addresses. >>> > > # netstat -tanp | grep auditd >>> > > tcp 0 0 0.0.0.0:60 0.0.0.0:* >>> LISTEN >>> > > 893/auditd >>> > > >>> > > > root@logs:/etc/audit# lsof -i :60 >>> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP >>> 192.168.103.7:60-> >>> > > > 192.168.103.7:60 (ESTABLISHED) >>> > > > >>> > > > >>> > > > How do I see that I am using libwrap? >>> > > >>> > > It should have a config line in auditd.conf. If you do not, it >>> defaults to >>> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to >>> decide. >>> > > Odds >>> > > are you put nothing there and the connection proceeds. If I were to >>> guess, >>> > > I'd >>> > > say iptables is blocking your connection. >>> > > >>> > > > I have enable_krb5=no in the >>> > > > auditd.conf on the aggregative server. >>> > > >>> > > Good. Cause doing a krb5 connection without setting that up will >>> cause it >>> > > to >>> > > fail also. I'd bet on iptables being the problem. >>> > > >>> > > -Steve >>> > > >>> > > > > > 192.168.103.7 is the IP address of the central log server. >>> > > > > > >>> > > > > > Notes: My settings are below: >>> > > > > > >>> > > > > > on server as well on client: >>> > > > > > /etc/audisp/audisp-remote >>> > > > > > >>> > > > > > remote_server = 192.168.103.7 >>> > > > > > port = 6999 >>> > > > > > local_port = 6999 >>> > > > > > transport = tcp >>> > > > > > queue_file = /var/spool/audit/remote.log >>> > > > > > mode = immediate >>> > > > > > queue_depth = 2048 >>> > > > > > format = ascii >>> > > > > > network_retry_time = 100 >>> > > > > >>> > > > > This is probably not your problem but managed is the normal >>> setting >>> > > > > for >>> > > > > format. And do you have enable_krb5 set to no? >>> > > > > >>> > > > > > I have enabled name_format=HOSTNAME only in one place (in >>> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf >>> > > > > > >>> > > > > > entries in auditd.conf: >>> > > > > > >>> > > > > > rtcp_listen_port = 6999 >>> > > > > > tcp_listen_queue = 5 >>> > > > > > tcp_max_per_addr = 10 >>> > > > > > tcp_client_ports = 0-65535 >>> > > > > > tcp_client_max_idle = 0 >>> > > > > >>> > > > > What do you have for use_libwrap and enable_krb5? >>> > > > > >>> > > > > The ausearcn info from the aggregating server should tell the >>> reason >>> > > >>> > > why >>> > > >>> > > > > the >>> > > > > connection is rejected. >>> > > > > >>> > > > > -Steve >>> > > > > >>> > > > > > I see the server is listening on the port 6999 as below but >>> its not >>> > > > > > accepting client request. >>> > > > > > root@logs:/etc# lsof -i :6999 >>> > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP >>> > > >>> > > 192.168.103.7:6999 >>> > > >>> > > > > -> >>> > > > > >>> > > > > > 192.168.103.7:6999 (ESTABLISHED) >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > Best Regards, >>> > > > > > Rituraj B >>> >>> >>> >> >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
