From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Gruhn <Dan.Gruhn@groupw.com>
Subject: Remote audit clients on RHEL 5.2
Date: Thu, 12 Feb 2009 12:01:33 -0500
Message-ID: <499455ED.3060208@groupw.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0757075610=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1CH1oXv018307
	for <linux-audit@redhat.com>; Thu, 12 Feb 2009 12:01:50 -0500
Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1CH1Y9h022481
	for <linux-audit@redhat.com>; Thu, 12 Feb 2009 12:01:35 -0500
Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1])
	by localhost (Postfix) with ESMTP id BFA9CDA009F
	for <linux-audit@redhat.com>; Thu, 12 Feb 2009 12:01:33 -0500 (EST)
Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218])
	by smtp.group-w-inc.com (Postfix) with ESMTP id 71E29DA0094
	for <linux-audit@redhat.com>; Thu, 12 Feb 2009 12:01:33 -0500 (EST)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============0757075610==
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">Greetings,<br>
<br>
I have a 64 bit EL 5.2 system that I have built and installed all of
the necessary packages for the latest audit (1.7.11-1), prelude and
prewikka. (Does anyone need any binary RPM packages?).<br>
<br>
This all seems to be working fine on the central cluster server and now
I'm trying to set up clients in the cluster nodes to report their audit
information to the server.&nbsp; I've found the&nbsp; RHEL 5.3 release notes
where it says:<br>
</font>
<blockquote>
  <div class="para"> In addition to the listed enhancements, these
updated audit packages also include a new feature to allow a server to
aggregate the logs of remote systems. The following instructions can be
followed to enable this feature: </div>
  <div class="orderedlist">
  <ol>
    <li>
      <div class="para"> The
audispd-plugins package should be installed on all clients (but need
not be installed on the server), and the parameters for "remote_server"
and "port" should be set in the /etc/audisp/audisp-remote.conf
configuration file. </div>
    </li>
    <li>
      <div class="para"> On the server, which aggregates
the logs, the "tcp_listen_port" parameter in the /etc/audit/auditd.conf
file must be set to the same port number as the clients. </div>
    </li>
    <li>
      <div class="para"> Because the auditd daemon is
protected by SELinux, semanage (the SELinux policy management tool)
must also have the same port listed in its database. If the server and
client machines had all been configured to use port 1000, for example,
then running this command would accomplish this:
      <pre class="screen">semanage port -a -t audit_port_t -p tcp 1000
      </pre>
      </div>
    </li>
    <li>
      <div class="para"> The final step in
configuring remote log aggregation is to edit the /etc/hosts.allow
configuration file to inform tcp_wrappers which machines or subnets the
auditd daemon should allow connections from. </div>
    </li>
  </ol>
  </div>
</blockquote>
<font face="Helvetica, Arial, sans-serif">I'm on the step where I'm
trying to run the semanage command to let selinux know that port 60 (in
my case) is acceptable for audit to use but I get the following error
message when I run the command:<br>
<br>
</font>
<blockquote><tt># semanage port -a -t audit_port_t -p tcp 60<br>
libsepol.context_from_record: type audit_port_t is not defined<br>
libsepol.context_from_record: could not create context structure<br>
libsepol.port_from_record: could not create port structure for range
60:60 (tcp)<br>
libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)<br>
libsemanage.dbase_policydb_modify: could not modify record value<br>
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy<br>
/usr/sbin/semanage: Could not add port tcp/60</tt><br>
</blockquote>
<font face="Helvetica, Arial, sans-serif">I'm not much of a wiz at
selinux, but I can tell that the audit_port_t type doesn't exist.&nbsp; I'm
stuck here because:<br>
<br>
1) I don;t know how to create new types in selinux<br>
2) Even if I figured that out, I don't know how auditd would know to
use that.<br>
<br>
I've looked at the auditd executable, it has types like this:<br>
</font><tt>-rwxr-x---&nbsp; root root system_u:object_r:auditd_exec_t&nbsp;
/sbin/auditd</tt><font face="Helvetica, Arial, sans-serif"><br>
<br>
Could someone give me some pointers and/or point me to something I
could read to get me going?<br>
<br>
Thanks<br>
<br>
Dan<br>
</font>
<div class="moz-signature">-- <br>
<font face="Helvetica, Arial, sans-serif">Dan Gruhn, Group W Inc.<br>
</font></div>
</body>
</html>


--===============0757075610==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0757075610==--