Hello. I try to use auditd as a server to gather logs from remote clients.
1) My conditions: /rpm -q audit// //audit-2.8.4/ /uname -r// //4.9.124/ /ipv6 is disable/ 2) Problem's symptom: after every reboot of server machine i have /from journalctl:/ /auditd[765]: Cannot create tcp listener socket systemd[1]: auditd.service: Control process exited, code=exited status=1 auditd[764]: Cannot daemonize (Success) systemd[1]: auditd.service: Failed with result 'exit-code'. auditd[764]: The audit daemon is exiting. systemd[1]: Failed to start Security Auditing Service./ //ss -lntp -o ' sport = 60 '// ////State Recv-Q Send-Q Local Address:Port Peer Address:Port// Later, on system boot, the service can be started manually without error. 3) Workarounds: a) systemd The header of auditd.service tells: ## If auditd.conf has tcp_listen_port enabled, copy this file to ## /etc/systemd/system/auditd.service and add network-online.target ## to the next line so it waits for the network to start before launching. But this leads to circular dependencies in systemd, because auditd says: "Before=sysinit.target", and network-online.target has not direct "After=sysinit.target". Systemd just skips auditd from boot in this case. Of course, i can remove auditd's dep on sysinit.target, this breaks a loop. b) ipv4 and ipv6 I've added some debug messages into auditd to see what happens. Actually ipv6 module is disabled, but in this moment 'getaddrinfo' within 'auditd_tcp_listen_init' returns both structures - AF_INET and AF_INET6. While auditd attempts to create AF_INET6 socket (skipping AF_INET) there is an error message: "/Cannot create tcp listener socket/", errno /EAFNOSUPPORT./ No chances to start./ / After system boot there is AF_INET only. I have attached the patch if one needs. Could somebody suggest a proper solution to my problem? Thank you in advance!
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
index bde75db..9fff46c 100644
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -965,7 +965,6 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
return 1;
}
- {
int ipv4 = 0, ipv6 = 0;
nlsocks = 0;
runp = ai;
@@ -973,13 +972,24 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
// Let's take a pass through and see what we got.
if (runp->ai_family == AF_INET)
ipv4++;
- else if (runp->ai_family == AF_INET6)
- ipv6++;
+ else if (runp->ai_family == AF_INET6) {
+ // check if ipv6 actually presents
+ int chsock = socket(runp->ai_family,
+ runp->ai_socktype, runp->ai_protocol);
+ if (chsock != -1) {
+ close(chsock);
+ } else if (errno == EAFNOSUPPORT) {
+ runp = runp->ai_next;
+ nlsocks++;
+ continue;
+ }
+ ipv6++;
+ }
runp = runp->ai_next;
nlsocks++;
}
- if (nlsocks == 2 && ipv4 && ipv6)
+ if (nlsocks == 2 && ipv4 && ipv6) {
prefer_ipv6 = 1;
}
@@ -994,7 +1004,9 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
listen_socket[nlsocks] = socket(runp->ai_family,
runp->ai_socktype, runp->ai_protocol);
if (listen_socket[nlsocks] < 0) {
- audit_msg(LOG_ERR, "Cannot create tcp listener socket");
+ audit_msg(LOG_ERR,
+ "Cannot create tcp listener %d socket (%s)",
+ runp->ai_family, strerror(errno));
goto next_try;
}
signature.asc
Description: OpenPGP digital signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
