From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Bob Beck" <beck@assurtech.com>
Subject: Can auditd run in lxc on centos7
Date: Thu, 5 Apr 2018 12:26:15 -0400
Message-ID: <002a01d3ccfa$d247fda0$76d7f8e0$@assurtech.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3140672886306601622=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com
	[10.5.110.26])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9628382208
	for <linux-audit@redhat.com>; Thu,  5 Apr 2018 16:26:23 +0000 (UTC)
Received: from Encrypt.Assurtech.com (encrypt.assurtech.com [50.200.191.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 30A707E9D2
	for <linux-audit@redhat.com>; Thu,  5 Apr 2018 16:26:22 +0000 (UTC)
Received: from Encrypt.Assurtech.com (localhost.localdomain [127.0.0.1])
	by localhost (Email Security Appliance) with SMTP id
	3D1A31FB2202_AC64E2DB
	for <linux-audit@redhat.com>; Thu,  5 Apr 2018 16:26:21 +0000 (GMT)
Received: from Assurtech.com (unknown [192.168.2.2])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "Assurtech.com",
	Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK))
	by Encrypt.Assurtech.com (Sophos Email Appliance) with ESMTPS id
	B5CE31FAF4BE_AC64E2CF
	for <linux-audit@redhat.com>; Thu,  5 Apr 2018 16:26:20 +0000 (GMT)
Content-Language: en-us
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multipart message in MIME format.

--===============3140672886306601622==
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_002B_01D3CCD9.4B374800"
Content-Language: en-us

This is a multipart message in MIME format.

------=_NextPart_000_002B_01D3CCD9.4B374800
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi,

 

I am attempting to run auditd in centos7 inside a lxc container.

 

Here is the log I get when I run auditd -f

 

onfig file /etc/audit/auditd.conf opened for parsing

log_file_parser called with: /var/log/audit.log

log_format_parser called with: RAW

log_group_parser called with: root

priority_boost_parser called with: 4

flush_parser called with: INCREMENTAL

freq_parser called with: 20

num_logs_parser called with: 5

qos_parser called with: lossy

dispatch_parser called with: /usr/sbin/audispd

name_format_parser called with: NONE

max_log_size_parser called with: 6

max_log_size_action_parser called with: ROTATE

space_left_parser called with: 75

space_action_parser called with: SYSLOG

action_mail_acct_parser called with: root

admin_space_left_parser called with: 50

admin_space_left_action_parser called with: SUSPEND

disk_full_action_parser called with: SUSPEND

disk_error_action_parser called with: SUSPEND

tcp_listen_queue_parser called with: 5

tcp_max_per_addr_parser called with: 1

tcp_client_max_idle_parser called with: 0

enable_krb5_parser called with: no

GSSAPI support is not enabled, ignoring value at line 30

krb5_principal_parser called with: auditd

GSSAPI support is not enabled, ignoring value at line 31

Started dispatcher: /usr/sbin/audispd pid: 3028

type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=success

config_manager init complete

Error sending status request (Connection refused)

Error sending enable request (Connection refused)

type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=failed

Unable to set initial audit startup state to 'enable', exiting

The audit daemon is exiting.

Error setting audit daemon pid (Connection refused)


------=_NextPart_000_002B_01D3CCD9.4B374800
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 14 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p =
class=3DMsoNormal>Hi,<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>I am =
attempting to run auditd in centos7 inside a lxc =
container.<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p =
class=3DMsoNormal>Here is the log I get when I run auditd =
&#8211;f<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p =
class=3DMsoNormal>onfig file /etc/audit/auditd.conf opened for =
parsing<o:p></o:p></p><p class=3DMsoNormal>log_file_parser called with: =
/var/log/audit.log<o:p></o:p></p><p class=3DMsoNormal>log_format_parser =
called with: RAW<o:p></o:p></p><p class=3DMsoNormal>log_group_parser =
called with: root<o:p></o:p></p><p =
class=3DMsoNormal>priority_boost_parser called with: 4<o:p></o:p></p><p =
class=3DMsoNormal>flush_parser called with: INCREMENTAL<o:p></o:p></p><p =
class=3DMsoNormal>freq_parser called with: 20<o:p></o:p></p><p =
class=3DMsoNormal>num_logs_parser called with: 5<o:p></o:p></p><p =
class=3DMsoNormal>qos_parser called with: lossy<o:p></o:p></p><p =
class=3DMsoNormal>dispatch_parser called with: =
/usr/sbin/audispd<o:p></o:p></p><p class=3DMsoNormal>name_format_parser =
called with: NONE<o:p></o:p></p><p class=3DMsoNormal>max_log_size_parser =
called with: 6<o:p></o:p></p><p =
class=3DMsoNormal>max_log_size_action_parser called with: =
ROTATE<o:p></o:p></p><p class=3DMsoNormal>space_left_parser called with: =
75<o:p></o:p></p><p class=3DMsoNormal>space_action_parser called with: =
SYSLOG<o:p></o:p></p><p class=3DMsoNormal>action_mail_acct_parser called =
with: root<o:p></o:p></p><p class=3DMsoNormal>admin_space_left_parser =
called with: 50<o:p></o:p></p><p =
class=3DMsoNormal>admin_space_left_action_parser called with: =
SUSPEND<o:p></o:p></p><p class=3DMsoNormal>disk_full_action_parser =
called with: SUSPEND<o:p></o:p></p><p =
class=3DMsoNormal>disk_error_action_parser called with: =
SUSPEND<o:p></o:p></p><p class=3DMsoNormal>tcp_listen_queue_parser =
called with: 5<o:p></o:p></p><p =
class=3DMsoNormal>tcp_max_per_addr_parser called with: =
1<o:p></o:p></p><p class=3DMsoNormal>tcp_client_max_idle_parser called =
with: 0<o:p></o:p></p><p class=3DMsoNormal>enable_krb5_parser called =
with: no<o:p></o:p></p><p class=3DMsoNormal>GSSAPI support is not =
enabled, ignoring value at line 30<o:p></o:p></p><p =
class=3DMsoNormal>krb5_principal_parser called with: =
auditd<o:p></o:p></p><p class=3DMsoNormal>GSSAPI support is not enabled, =
ignoring value at line 31<o:p></o:p></p><p class=3DMsoNormal>Started =
dispatcher: /usr/sbin/audispd pid: 3028<o:p></o:p></p><p =
class=3DMsoNormal>type=3DDAEMON_START msg=3Daudit(1522944040.042:592): =
op=3Dstart ver=3D2.8.4 format=3Draw =
kernel=3D3.10.0-693.17.1.el7.centos.plus.i686 auid=3D4294967295 =
pid=3D3026 uid=3D0 ses=3D4294967295 subj=3Dsystem_u:system_r:init_t =
res=3Dsuccess<o:p></o:p></p><p class=3DMsoNormal>config_manager init =
complete<o:p></o:p></p><p class=3DMsoNormal>Error sending status request =
(Connection refused)<o:p></o:p></p><p class=3DMsoNormal>Error sending =
enable request (Connection refused)<o:p></o:p></p><p =
class=3DMsoNormal>type=3DDAEMON_ABORT msg=3Daudit(1522944040.043:593): =
op=3Dset-enable auid=3D4294967295 pid=3D3026 uid=3D0 ses=3D4294967295 =
subj=3Dsystem_u:system_r:init_t res=3Dfailed<o:p></o:p></p><p =
class=3DMsoNormal>Unable to set initial audit startup state to 'enable', =
exiting<o:p></o:p></p><p class=3DMsoNormal>The audit daemon is =
exiting.<o:p></o:p></p><p class=3DMsoNormal>Error setting audit daemon =
pid (Connection refused)<o:p></o:p></p></div></body></html>
------=_NextPart_000_002B_01D3CCD9.4B374800--


--===============3140672886306601622==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3140672886306601622==--