Hello, On Thursday, October 4, 2018 10:14:17 AM EDT Levin Stanislav wrote: > I try to use auditd as a server to gather logs from remote clients. > > 1) My conditions: > > /rpm -q audit// > //audit-2.8.4/ > > /uname -r// > //4.9.124/ > > /ipv6 is disable/
OK. Out of curiosity, what did you do to disable it? > 2) Problem's symptom: > > after every reboot of server machine i have > > /from journalctl:/ > > /auditd[765]: Cannot create tcp listener socket I added a commit just now to at least say what address family this is. > systemd[1]: auditd.service: Control process exited, code=exited status=1 > auditd[764]: Cannot daemonize (Success) > systemd[1]: auditd.service: Failed with result 'exit-code'. > auditd[764]: The audit daemon is exiting. > systemd[1]: Failed to start Security Auditing Service./ > > //ss -lntp -o ' sport = 60 '// > > ////State Recv-Q Send-Q Local > Address:Port Peer Address:Port// > > Later, on system boot, the service can be started manually without error. > > 3) Workarounds: > > a) systemd > > The header of auditd.service tells: > > ## If auditd.conf has tcp_listen_port enabled, copy this file to > ## /etc/systemd/system/auditd.service and add network-online.target > ## to the next line so it waits for the network to start before launching. > > But this leads to circular dependencies in systemd, because auditd says: > "Before=sysinit.target", and network-online.target has not direct > "After=sysinit.target". > > Systemd just skips auditd from boot in this case. This note was changed in git about 2 months ago. https://github.com/linux-audit/audit-userspace/blob/master/init.d/ auditd.service ## If auditd is sending or recieving remote logging, copy this file to ## /etc/systemd/system/auditd.service and comment out the first After and ## uncomment the second so that network-online.target is part of After. ## then comment the first Before and uncomment the second Before to remove ## sysinit.target from "Before". After=local-fs.target systemd-tmpfiles-setup.service ##After=network-online.target local-fs.target systemd-tmpfiles-setup.service Before=sysinit.target shutdown.target ##Before=shutdown.target > Of course, i can remove auditd's dep on sysinit.target, this breaks a loop. > > > b) ipv4 and ipv6 > > I've added some debug messages into auditd to see what happens. > > Actually ipv6 module is disabled, but in this moment 'getaddrinfo' > within 'auditd_tcp_listen_init' returns both structures - AF_INET and > AF_INET6. It's not supposed to do that based on the discussion of AI_ADDRCONFIG in the getaddrinfo man page. > While auditd attempts to create AF_INET6 socket (skipping AF_INET) there > is an error message: "/Cannot create tcp listener socket/", errno > /EAFNOSUPPORT./ > > No chances to start./ > / > > > After system boot there is AF_INET only. OK. So, then that seems to indicate that the system starts with IPv6 and then disables it later. Does booting using the new systemd instructions help? Thanks, -Steve > I have attached the patch if one needs. > > Could somebody suggest a proper solution to my problem? > > Thank you in advance! -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
