From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: krb5 issues
Date: Thu, 26 May 2016 16:12:03 -0400 [thread overview]
Message-ID: <4966724.aFqryVVfLb@x2> (raw)
In-Reply-To: <5744603D.9020504@kenbass.com>
On Tuesday, May 24, 2016 10:07:57 AM Ken Bass wrote:
> On 05/23/2016 11:21 AM, Ken Bass wrote:
> > I enabled krb5 in my audisp-remote and audispd-remote reports "GSS-API
> > error sending token length" and fails to log remotely.
> >
> > If I reboot the destination auditd server AFTER the clients are
> > running it appears to work. But if I reboot any clients machine,
> > logging from that rebooted machine fails.
> > I created my service principals using freeipa - all systems are clean
> > installs of Centos 7.2.
> >
> > For now, I disabled krb5, but that is not a good solution.
>
> After disabling krb5 and rebooting the client servers several times I am
> seeing similar problems. I am seeing a dozen or so log file entries of
>
> Too many connections from 10.10.10.10:39107 - rejected
>
> I only have 2 clients and all I am doing is rebooting them. I tried
> increasing the tcp_listen_queue to 20 (from the default of 5) which made
> no difference.
>
> I seem to have traced it to needing to specify the tcp_client_ports to
> 60 rather than using whatever the default was. What would have been
> blocking this?
I think 60 is the default in the audit config files. IPtables/firewalld needs to
be opened and selinux is expecting port 60.
> And why only when the clients are rebooted second does it
> fail?
>
> After changing this the Kerberos works, so I think the 'error sending
> token length' is basically the same message but in a different code path
> to indicate the connection is rejected / cannot write to the TCP socket.
>
> Was the commented out ##tcp_client_ports parameter supposed to be
> changed by the end user? Was the defaults supposed to work?
There is some discussion of this in the man pages. Ports < 1024 are
privileged. If its higher they you can have someone dump spoofed log events in
the aggregating server. So, setting the port low gives a small amount of trust
that it might be real events from a real system. You should also use
tcp_wrappers to make sure specific systems are sending events. Kerberos though
is supposed to help ensure that you have even more trust.
-Steve
> On a related note, using krb5 causes a problem with selinux. Unless I
> disable it (or figure out a rule) auditd fails to start because it is
> denied permission to create /var/tmp/auditd_0 kerberos replay cache file.
> Is there a rule or procedure to properly fix that?
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2016-05-26 20:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-23 15:21 krb5 issues Ken Bass
2016-05-24 14:07 ` Ken Bass
2016-05-26 15:16 ` Ken Bass
2016-05-26 20:04 ` Steve Grubb
2016-05-26 20:12 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4966724.aFqryVVfLb@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).