From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: audit collector connect fails
Date: Thu, 11 Sep 2008 17:00:41 -0500
Message-ID: <1221170441.6559.85.camel@homeserver>
References: <1220984797.6596.162.camel@homeserver>
	<200809091836.m89IatSW011688@greed.delorie.com>
	<1220986021.6596.167.camel@homeserver>
	<200809091925.m89JPmTd013185@greed.delorie.com>
	<1220990608.6596.200.camel@homeserver>
	<200809092011.m89KBshr014405@greed.delorie.com>
	<1220997150.6596.217.camel@homeserver>
	<200809092207.m89M7Dul017709@greed.delorie.com>
	<1221148112.6559.24.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1221148112.6559.24.camel@homeserver>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

My sender fails to connect to my collector.

Is there any reason a MLS-policy F9 audisp-remote should be unable to
connect to a targeted-policy F9 auditd? I have no ipsec or anything else
involved...

I am looking for some hint as to why the connection is failing but I see
only this on the sender:

- lsof says I'm stuck on SYN_SENT
TCP comms:38827->192.168.30.120:tsdos390 (SYN_SENT)

- audit search on sender
ausearch -ts today -i -c audisp-remote:
...
----
type=SYSCALL msg=audit(09/11/2008 16:14:45.102:19013) : arch=x86_64
syscall=connect success=no exit=-110(Connection timed out) a0=3
a1=7f99ab0f20e0 a2=10 a3=7fffb289cf50 items=0 ppid=25435 pid=25436
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=61 comm=audisp-remote
exe=/sbin/audisp-remote
subj=system_u:system_r:audisp_remote_t:s15:c0.c1023 key=(null) 


Same audit versions on each (1.7.5-1).

On the sender, I can do a "newrole -l SystemHigh" and connect via
"telnet <collector> 1237", so I don't think it is the level giving me
any grief - sender is in permissive mode so there are AVCs but it should
work.

Eventually on the sender I get this:
Sep 11 16:57:12 comms audisp-remote: Error connecting to 192.168.30.120: Connection timed out - exiting
Sep 11 16:57:14 comms audispd: plugin /sbin/audisp-remote terminated unexpectedly

On the collector machine I see the listen socket open but I see no
denials in the messages log or the audit log.

Any suggestions?

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com