Hello, thank you for a quick answer.
04.10.2018 18:56, Steve Grubb пишет: > Hello, > > On Thursday, October 4, 2018 10:14:17 AM EDT Levin Stanislav wrote: >> I try to use auditd as a server to gather logs from remote clients. >> >> 1) My conditions: >> >> /rpm -q audit// >> //audit-2.8.4/ >> >> /uname -r// >> //4.9.124/ >> >> /ipv6 is disable/ > OK. Out of curiosity, what did you do to disable it? The approach is different to distros i checked. For example, fedora 28 - pass ipv6.disable=1 within grub cmdline; for altlinux - use blacklist ipv6 and so on. The same problem is here. > > >> 2) Problem's symptom: >> >> after every reboot of server machine i have >> >> /from journalctl:/ >> >> /auditd[765]: Cannot create tcp listener socket > I added a commit just now to at least say what address family this is. It's very good to see an exact error, no? > >> systemd[1]: auditd.service: Control process exited, code=exited status=1 >> auditd[764]: Cannot daemonize (Success) >> systemd[1]: auditd.service: Failed with result 'exit-code'. >> auditd[764]: The audit daemon is exiting. >> systemd[1]: Failed to start Security Auditing Service./ >> >> //ss -lntp -o ' sport = 60 '// >> >> ////State Recv-Q Send-Q Local >> Address:Port Peer Address:Port// >> >> Later, on system boot, the service can be started manually without error. >> >> 3) Workarounds: >> >> a) systemd >> >> The header of auditd.service tells: >> >> ## If auditd.conf has tcp_listen_port enabled, copy this file to >> ## /etc/systemd/system/auditd.service and add network-online.target >> ## to the next line so it waits for the network to start before launching. >> >> But this leads to circular dependencies in systemd, because auditd says: >> "Before=sysinit.target", and network-online.target has not direct >> "After=sysinit.target". >> >> Systemd just skips auditd from boot in this case. > This note was changed in git about 2 months ago. > https://github.com/linux-audit/audit-userspace/blob/master/init.d/ > auditd.service > > ## If auditd is sending or recieving remote logging, copy this file to > ## /etc/systemd/system/auditd.service and comment out the first After and > ## uncomment the second so that network-online.target is part of After. > ## then comment the first Before and uncomment the second Before to remove > ## sysinit.target from "Before". > After=local-fs.target systemd-tmpfiles-setup.service > ##After=network-online.target local-fs.target systemd-tmpfiles-setup.service > Before=sysinit.target shutdown.target > ##Before=shutdown.target What is the reason to have a dependency on sysinit.target at non-server mode and not to have the same at server one? > >> Of course, i can remove auditd's dep on sysinit.target, this breaks a loop. >> >> >> b) ipv4 and ipv6 >> >> I've added some debug messages into auditd to see what happens. >> >> Actually ipv6 module is disabled, but in this moment 'getaddrinfo' >> within 'auditd_tcp_listen_init' returns both structures - AF_INET and >> AF_INET6. > It's not supposed to do that based on the discussion of AI_ADDRCONFIG in the > getaddrinfo man page. Yes, it is. But actually at some boot point - ipv4 and ipv6, another one - ipv4. > >> While auditd attempts to create AF_INET6 socket (skipping AF_INET) there >> is an error message: "/Cannot create tcp listener socket/", errno >> /EAFNOSUPPORT./ >> >> No chances to start./ >> / >> >> >> After system boot there is AF_INET only. > OK. So, then that seems to indicate that the system starts with IPv6 and then > disables it later. Does booting using the new systemd instructions help? > > Thanks, > -Steve Yes, of course it helps :) But if one just can use as is, I mean without additional service configuration, it is convenient, isn't it? Thank you very much! > > >> I have attached the patch if one needs. >> >> Could somebody suggest a proper solution to my problem? >> >> Thank you in advance! > > >
signature.asc
Description: OpenPGP digital signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
