From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Audisp-remote - connection refused. Date: Tue, 3 Oct 2017 00:25:51 +0530 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5149519908579836652==" Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E75DF5D729 for ; Mon, 2 Oct 2017 18:55:53 +0000 (UTC) Received: from mail-qk0-f174.google.com (mail-qk0-f174.google.com [209.85.220.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id ACA26285D0 for ; Mon, 2 Oct 2017 18:55:52 +0000 (UTC) Received: by mail-qk0-f174.google.com with SMTP id d67so2789955qkg.5 for ; Mon, 02 Oct 2017 11:55:52 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============5149519908579836652== Content-Type: multipart/alternative; boundary="94eb2c0975706f11b5055a94ec12" --94eb2c0975706f11b5055a94ec12 Content-Type: text/plain; charset="UTF-8" Hi I tried my best to configure the audisp-remote. I am getting below error on the client machine in /var/log/syslog. Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: Connection refused 192.168.103.7 is the IP address of the central log server. Notes: My settings are below: on server as well on client: /etc/audisp/audisp-remote remote_server = 192.168.103.7 port = 6999 local_port = 6999 transport = tcp queue_file = /var/spool/audit/remote.log mode = immediate queue_depth = 2048 format = ascii network_retry_time = 100 I have enabled name_format=HOSTNAME only in one place (in /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf entries in auditd.conf: rtcp_listen_port = 6999 tcp_listen_queue = 5 tcp_max_per_addr = 10 tcp_client_ports = 0-65535 tcp_client_max_idle = 0 I see the server is listening on the port 6999 as below but its not accepting client request. root@logs:/etc# lsof -i :6999 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> 192.168.103.7:6999 (ESTABLISHED) Best Regards, Rituraj B --94eb2c0975706f11b5055a94ec12 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi=C2=A0

I tried my best = to configure the audisp-remote.
I am ge= tting below error on the client machine in /var/log/syslog.

Oct =C2=A02 14:41:15 xxxxxx audisp-remote: Error connecting= to 192.168.103.7: Connection refused<= /div>


192.168.103.7 is the IP addre= ss of the central log server.

Notes: My settin= gs are below:

on server as well on client:
/etc/audisp/audisp-remote

remote_server =3D 192.168.103.= 7
por= t =3D 6999
local_port =3D 6999
transport =3D tcp
queue_file =3D /var/spool/audit/remote.lo= g
mod= e =3D immediate
queue_depth =3D 2048
format =3D ascii
network_retry_time =3D 100


I have enabled name_forma= t=3DHOSTNAME only in one place (in /etc/audisp/audispd.conf - and not in /e= tc/audit/auditd.conf

entries in auditd.conf:

rtcp_listen_port =3D 6999
tcp_listen_queue =3D 5
tcp_max_per_addr =3D 1= 0
tc= p_client_ports =3D 0-65535
tcp_client_max_idle =3D 0


I see the server is listening on the port 6999 as below b= ut its not accepting client request.=C2=A0
root@logs:/etc#= lsof -i :6999
COMMAND =C2=A0 =C2=A0PID USER =C2=A0 FD =C2=A0 TYP= E DEVICE SIZE/OFF NODE NAME
audisp-re 9091 root =C2=A0 =C2=A03u = =C2=A0IPv4 =C2=A033671 =C2=A0 =C2=A0 =C2=A00t0 =C2=A0TCP 192.168.103.7:6999= ->192.168.103.7:6999 (ESTABLIS= HED)


=C2=A0
Best Regards,
Rituraj B=

=
--94eb2c0975706f11b5055a94ec12-- --===============5149519908579836652== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5149519908579836652==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Tue, 3 Oct 2017 01:21:51 +0530 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2133260947171457371==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E0E2190C63 for ; Mon, 2 Oct 2017 19:51:55 +0000 (UTC) Received: from mail-qt0-f177.google.com (mail-qt0-f177.google.com [209.85.216.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A8A9580465 for ; Mon, 2 Oct 2017 19:51:53 +0000 (UTC) Received: by mail-qt0-f177.google.com with SMTP id o3so9053256qte.6 for ; Mon, 02 Oct 2017 12:51:53 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2133260947171457371== Content-Type: multipart/alternative; boundary="001a113f4520bb216e055a95b4e0" --001a113f4520bb216e055a95b4e0 Content-Type: text/plain; charset="UTF-8" Additional info: I doubt that the daemon is only listening on localhost and not accepting remote. # lsof -i :6999 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 9624 root 3u IPv4 37642 0t0 TCP 192.168.103.7:6999-> 192.168.103.7:6999 (ESTABLISHED) Btw, no iptables is running on the host. Also no tcpwrappers. Regards Best Regards, Rituraj B On Tue, Oct 3, 2017 at 12:25 AM, Rituraj Buddhisagar wrote: > Hi > > I tried my best to configure the audisp-remote. > I am getting below error on the client machine in /var/log/syslog. > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > Connection refused > > > 192.168.103.7 is the IP address of the central log server. > > Notes: My settings are below: > > on server as well on client: > /etc/audisp/audisp-remote > > remote_server = 192.168.103.7 > port = 6999 > local_port = 6999 > transport = tcp > queue_file = /var/spool/audit/remote.log > mode = immediate > queue_depth = 2048 > format = ascii > network_retry_time = 100 > > > I have enabled name_format=HOSTNAME only in one place (in > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > entries in auditd.conf: > > rtcp_listen_port = 6999 > tcp_listen_queue = 5 > tcp_max_per_addr = 10 > tcp_client_ports = 0-65535 > tcp_client_max_idle = 0 > > > I see the server is listening on the port 6999 as below but its not > accepting client request. > root@logs:/etc# lsof -i :6999 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> > 192.168.103.7:6999 (ESTABLISHED) > > > > Best Regards, > Rituraj B > > --001a113f4520bb216e055a95b4e0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Additional info:

I doubt = that the daemon is only listening on localhost and not accepting remote.

=
# lsof -i :6999
COMMAND =C2=A0 =C2=A0PID USER =C2=A0 FD =C2=A0 TYPE DEVICE SIZE/OFF NOD= E NAME
audisp-re 9624 root =C2=A0 =C2=A03= u =C2=A0IPv4 =C2=A037642 =C2=A0 =C2=A0 =C2=A00t0 =C2=A0TCP 192.168.103.7:69= 99->192.168.103.7:6999 (ESTABL= ISHED)


Btw, no iptables is running = on the host. Also no tcpwrappers.

Regards

<= /table>
On Tue, Oct 3, 2017 at 12:25 AM, Rituraj Bud= dhisagar <rituraj@vayana.com> wrote:
Hi=C2=A0

I tried my best to configure the audisp-remote.
I am getting b= elow error on the client machine in /var/log/syslog.

=
Oct =C2=A02 14:41:15 xxxxxx audisp-remote: Error connecting to = 192.168.103.7: Conne= ction refused


192.168.103.7 i= s the IP address of the central log server.

No= tes: My settings are below:

on server as well = on client:
/etc/audisp/audisp-remote

remote_server = =3D 192.168.103.7
port =3D 6999
local_port =3D 6999
transport =3D tcp
queue_file =3D /var/spool= /audit/remote.log
mode =3D immediate
queue_depth =3D 2048
format =3D ascii
network_retry_time = =3D 100


I have e= nabled name_format=3DHOSTNAME only in one place (in /etc/audisp/audispd.con= f - and not in /etc/audit/auditd.conf

entries = in auditd.conf:

rtcp_listen_port =3D 6999
tcp_listen_queue =3D 5
tcp_m= ax_per_addr =3D 10
tcp_client_ports =3D 0-65535
tcp_client_max_idle =3D 0


I see the server is listening on the por= t 6999 as below but its not accepting client request.=C2=A0
root@logs:/etc# lsof -i :6999
COMMAND =C2=A0 =C2=A0PID USER =C2= =A0 FD =C2=A0 TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 9091 root = =C2=A0 =C2=A03u =C2=A0IPv4 =C2=A033671 =C2=A0 =C2=A0 =C2=A00t0 =C2=A0TCP 19= 2.168.103.7:6999->192.168.103.7:6999 (ESTABLISHED)


=C2=A0
<= div dir=3D"ltr">
Best Regards,
Ritura= j B
=
Best Regards,
Rituraj B


--001a113f4520bb216e055a95b4e0-- --===============2133260947171457371== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2133260947171457371==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audisp-remote - connection refused. Date: Mon, 02 Oct 2017 17:58:43 -0400 Message-ID: <11869218.hX4XnSsCEN@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Rituraj Buddhisagar Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > Hi > > I tried my best to configure the audisp-remote. > I am getting below error on the client machine in /var/log/syslog. > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7: > Connection refused On the server, what do you get for: ausearch --start recent -m DAEMON_ACCEPT -i The server side records some information about why it did not allow a connection. > 192.168.103.7 is the IP address of the central log server. > > Notes: My settings are below: > > on server as well on client: > /etc/audisp/audisp-remote > > remote_server = 192.168.103.7 > port = 6999 > local_port = 6999 > transport = tcp > queue_file = /var/spool/audit/remote.log > mode = immediate > queue_depth = 2048 > format = ascii > network_retry_time = 100 This is probably not your problem but managed is the normal setting for format. And do you have enable_krb5 set to no? > I have enabled name_format=HOSTNAME only in one place (in > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > entries in auditd.conf: > > rtcp_listen_port = 6999 > tcp_listen_queue = 5 > tcp_max_per_addr = 10 > tcp_client_ports = 0-65535 > tcp_client_max_idle = 0 What do you have for use_libwrap and enable_krb5? The ausearcn info from the aggregating server should tell the reason why the connection is rejected. -Steve > I see the server is listening on the port 6999 as below but its not > accepting client request. > root@logs:/etc# lsof -i :6999 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999-> > 192.168.103.7:6999 (ESTABLISHED) > > > > Best Regards, > Rituraj B From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Tue, 3 Oct 2017 09:01:15 +0530 Message-ID: References: <11869218.hX4XnSsCEN@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6395540581650013880==" Return-path: Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 57F8B90C86 for ; Tue, 3 Oct 2017 03:31:18 +0000 (UTC) Received: from mail-qt0-f177.google.com (mail-qt0-f177.google.com [209.85.216.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9A8345F7A9 for ; Tue, 3 Oct 2017 03:31:16 +0000 (UTC) Received: by mail-qt0-f177.google.com with SMTP id q4so10720971qtq.8 for ; Mon, 02 Oct 2017 20:31:16 -0700 (PDT) In-Reply-To: <11869218.hX4XnSsCEN@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============6395540581650013880== Content-Type: multipart/alternative; boundary="001a1147547ea4c805055a9c1f6a" --001a1147547ea4c805055a9c1f6a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable P =E2=80=8Blease see inline- regards =E2=80=8B On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb wrote: > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > > Hi > > > > I tried my best to configure the audisp-remote. > > I am getting below error on the client machine in /var/log/syslog. > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.7= : > > Connection refused > > > On the server, what do you get for: > > ausearch --start recent -m DAEMON_ACCEPT -i > > The server side records some information about why it did not allow a > connection. > > =E2=80=8BI dont see any info in here. # ausearch --start recent -m DAEMON_ACCEPT -i I tried without --start & -i options as well. But when I do a tcpdump on central server, I do see requests coming in. (I changed port to 60). # tcpdump -i eth1 '( port 60 )' 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 4076269452, win 0, length 0 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 18024, win 0, length 0 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076300652, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack 31202, win 0, length 0 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076306151, win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0 I think the service is only listening locally and not for remote connections? root@logs:/etc/audit# lsof -i :60 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> 192.168.103.7:60 (ESTABLISHED) How do I see that I am using libwrap? I have enable_krb5=3Dno in the auditd.conf on the aggregative server. =E2=80=8B > > 192.168.103.7 is the IP address of the central log server. > > > > Notes: My settings are below: > > > > on server as well on client: > > /etc/audisp/audisp-remote > > > > remote_server =3D 192.168.103.7 > > port =3D 6999 > > local_port =3D 6999 > > transport =3D tcp > > queue_file =3D /var/spool/audit/remote.log > > mode =3D immediate > > queue_depth =3D 2048 > > format =3D ascii > > network_retry_time =3D 100 > > This is probably not your problem but managed is the normal setting for > format. And do you have enable_krb5 set to no? > > > I have enabled name_format=3DHOSTNAME only in one place (in > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > entries in auditd.conf: > > > > rtcp_listen_port =3D 6999 > > tcp_listen_queue =3D 5 > > tcp_max_per_addr =3D 10 > > tcp_client_ports =3D 0-65535 > > tcp_client_max_idle =3D 0 > > What do you have for use_libwrap and enable_krb5? > > The ausearcn info from the aggregating server should tell the reason why > the > connection is rejected. > > -Steve > > > I see the server is listening on the port 6999 as below but its not > > accepting client request. > > root@logs:/etc# lsof -i :6999 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP 192.168.103.7:6999 > -> > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > Best Regards, > > Rituraj B > > > --001a1147547ea4c805055a9c1f6a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


<= div dir=3D"ltr">
<= /div>
P
=E2=80=8Blease see inline-
=

r= egards
=E2=80=8B

On Tue, Oc= t 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:=
On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> Hi
>
> I tried my best to configure the audisp-remote.
> I am getting below error on the client machine in /var/log/syslog.
>
> Oct=C2=A0 2 14:41:15 xxxxxx audisp-remote: Error connecting to 192.168.103.= 7:
> Connection refused


On the server, what do you get for:

ausearch --start recent -m DAEMON_ACCEPT -i

The server side records some information about why it did not allow a
connection.


=E2=80=8BI dont see any info in here.

# ausearch --start recent -m DAEMON_ACCEPT -i
<no matches>

I tried with= out --start & -i options as well.

But when I do a tcpdump on central server, I do see re= quests coming in. (I changed port to 60).=C2=A0
# tcpdump -i et= h1 '( port 60 )'
08:53:56.597946 IP = gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076269451, win 29200, optio= ns [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0
08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq= 0, ack 4076269452, win 0, length 0
08:53:56.598843 IP = gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076287474, win 29200, optio= ns [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0
08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq= 0, ack 18024, win 0, length 0
08:53:56.599164 IP gusm1= .60 > 192.168.103.7.60: Flags [S], seq 4076300652, win 29200, options [m= ss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0
08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, = ack 31202, win 0, length 0
08:53:56.599657 IP gusm1.60 = > 192.168.103.7.60: Flags [S], seq 4076306151, win 29200, options [mss 1= 460,sackOK,TS val 207316 ecr 0,nop,wscale 7], length 0

I think the servic= e is only listening locally and not for remote connections?
root@logs:/etc/audit# lso= f -i :60
COMMAND =C2=A0 =C2=A0PID USER = =C2=A0 FD =C2=A0 TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 1713 root =C2=A0 =C2=A03u =C2=A0IPv4 =C2=A017433 =C2=A0 = =C2=A0 =C2=A00t0 =C2=A0TCP 192.168.103.7:60->192.168.103.7:60 (ESTABLISHED)


How do I= see that I am using libwrap? I have enable_krb5=3Dno in the auditd.conf on= the aggregative server.


=E2=80= =8B
> 192.168.103.7 is the IP address of the central log server.
>
> Notes: My settings are below:
>
> on server as well on client:
> /etc/audisp/audisp-remote
>
> remote_server =3D 192.168.103.7
> port =3D 6999
> local_port =3D 6999
> transport =3D tcp
> queue_file =3D /var/spool/audit/remote.log
> mode =3D immediate
> queue_depth =3D 2048
> format =3D ascii
> network_retry_time =3D 100

This is probably not your problem but managed is the normal setting = for
format. And do you have enable_krb5 set to no?

> I have enabled name_format=3DHOSTNAME only in one place (in
> /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
>
> entries in auditd.conf:
>
> rtcp_listen_port =3D 6999
> tcp_listen_queue =3D 5
> tcp_max_per_addr =3D 10
> tcp_client_ports =3D 0-65535
> tcp_client_max_idle =3D 0

What do you have for use_libwrap and enable_krb5?

The ausearcn info from the aggregating server should tell the reason why th= e
connection is rejected.

-Steve

> I see the server is listening on the port 6999 as below but its not > accepting client request.
> root@logs:/etc# lsof -i :6999
> COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYPE DEVICE S= IZE/OFF NODE NAME
> audisp-re 9091 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 33671=C2=A0 =C2= =A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:6999->
> 192.168.103.7:6999 (ESTABLISHED)
>
>
>
> Best Regards,
> Rituraj B



--001a1147547ea4c805055a9c1f6a-- --===============6395540581650013880== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6395540581650013880==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Tue, 3 Oct 2017 18:28:42 +0530 Message-ID: References: <11869218.hX4XnSsCEN@x2> <4285053.hh7HfXqAiY@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7364880416078033214==" Return-path: Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 937F917AB1 for ; Tue, 3 Oct 2017 12:58:45 +0000 (UTC) Received: from mail-qt0-f174.google.com (mail-qt0-f174.google.com [209.85.216.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8D9D764108 for ; Tue, 3 Oct 2017 12:58:43 +0000 (UTC) Received: by mail-qt0-f174.google.com with SMTP id f15so12765552qtf.7 for ; Tue, 03 Oct 2017 05:58:43 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============7364880416078033214== Content-Type: multipart/alternative; boundary="001a1144b42efe6ac9055aa40c1b" --001a1144b42efe6ac9055aa40c1b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Steve, I should have attached my config in previous mail: Here is the config on the aggregating server. (I see tcp_listen_port in auditd.conf and then there is mention of local port & port in audisp-remote.conf as well) I do not see auditd listening on port 60 as per my previous mail. (netstat output) root@guslogs:/etc/audit# cat auditd.conf # # This file controls the configuration of the audit daemon # log_file =3D /var/log/audit/audit.log log_format =3D RAW log_group =3D root priority_boost =3D 4 flush =3D INCREMENTAL freq =3D 20 num_logs =3D 5 disp_qos =3D lossy dispatcher =3D /sbin/audispd name_format =3D NONE ##name =3D mydomain max_log_file =3D 6 max_log_file_action =3D ROTATE space_left =3D 75 space_left_action =3D SYSLOG action_mail_acct =3D root admin_space_left =3D 50 admin_space_left_action =3D SUSPEND disk_full_action =3D SUSPEND disk_error_action =3D SUSPEND tcp_listen_port =3D 60 tcp_listen_queue =3D 5 tcp_max_per_addr =3D 10 tcp_client_ports =3D 0-65535 tcp_client_max_idle =3D 0 enable_krb5 =3D no krb5_principal =3D auditd use_libwrap =3D no ##krb5_key_file =3D /etc/audit/audit.key root@guslogs:/etc/audit# cat ../audisp/audisp-remote.conf # # This file controls the configuration of the audit remote # logging subsystem, audisp-remote. # remote_server =3D 192.168.103.7 port =3D 60 local_port =3D 60 transport =3D tcp queue_file =3D /var/spool/audit/remote.log mode =3D immediate queue_depth =3D 2048 format =3D ascii network_retry_time =3D 100 max_tries_per_record =3D 3 max_time_per_record =3D 5 heartbeat_timeout =3D 0 network_failure_action =3D stop disk_low_action =3D ignore disk_full_action =3D ignore disk_error_action =3D syslog remote_ending_action =3D reconnect generic_error_action =3D syslog generic_warning_action =3D syslog overflow_action =3D syslog ##enable_krb5 =3D no ##krb5_principal =3D ##krb5_client_name =3D auditd ##krb5_key_file =3D /etc/audisp/audisp-remote.key Best Regards, Rituraj B On Tue, Oct 3, 2017 at 6:22 PM, Rituraj Buddhisagar wrote: > Hi Steve, > > I did check IPtables and I am not having any rules in there. I have > allowed the connections in /etc/hosts.allow. But then I do not see auditd > listening on port 60. > It just shows "ESSTABLISHED" connection on the aggregating server - which > is itself! > > root@guslogs:/etc/audit# lsof -i :60 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> > 192.168.103.7:60 (ESTABLISHED) > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# netstat -pan | grep 60 > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN 1260/sshd > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 > ESTABLISHED 2146/audisp-remote > tcp6 0 0 :::22 :::* LISTE= N > 1260/sshd > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 > /tmp/ssh-h0brbTMA4a/agent.1925 > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd > > unix 2 [ ] DGRAM 17760 1897/systemd > > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd > > unix 2 [ ] DGRAM 20360 2136/auditd > > unix 3 [ ] STREAM CONNECTED 13260 1/init > /run/systemd/journal/stdout > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# netstat -tanp | grep auditd > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > root@guslogs:/etc/audit# > root@guslogs:/etc/audit# cat /etc/hosts.allow > # /etc/hosts.allow: list of hosts that are allowed to access the system. > # See the manual pages hosts_access(5) and > hosts_options(5). > # > # Example: ALL: LOCAL @some_netgroup > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu > # > # If you're going to protect the portmapper use the name "rpcbind" for th= e > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. > # > > ALL: ALL > root@guslogs:/etc/audit# > > > Best Regards, > Rituraj B > > > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb wrote: > >> On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: >> > P >> > =E2=80=8Blease see inline- >> > >> > regards >> > =E2=80=8B >> > >> > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb wrote: >> > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: >> > > > Hi >> > > > >> > > > I tried my best to configure the audisp-remote. >> > > > I am getting below error on the client machine in /var/log/syslog. >> > > > >> > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to >> 192.168.103.7: >> > > > Connection refused >> > > >> > > On the server, what do you get for: >> > > >> > > ausearch --start recent -m DAEMON_ACCEPT -i >> > > >> > > The server side records some information about why it did not allow = a >> > > connection. >> > >> > =E2=80=8BI dont see any info in here. >> > >> > # ausearch --start recent -m DAEMON_ACCEPT -i >> > >> >> Then its not connecting at all. Maybe your firewall is blocking it. Mayb= e >> selinux is blocking it? Once auditd sees its socket is readable, it call= s >> accept(2) and there is no path through the code that doesn't log an even= t >> with >> a reason. Every possible failure logs a distinct reason why the connecti= on >> failed. >> >> >> > I tried without --start & -i options as well. >> >> --start today if you didn't connect within 10 minutes of running the >> command. >> >> >> > But when I do a tcpdump on central server, I do see requests coming in= . >> (I >> > changed port to 60). >> > # tcpdump -i eth1 '( port 60 )' >> > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076269451, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack >> > 4076269452, win 0, length 0 >> > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076287474, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack >> > 18024, win 0, length 0 >> > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076300652, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack >> > 31202, win 0, length 0 >> > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> 4076306151, >> > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], >> > length 0 >> > >> > I think the service is only listening locally and not for remote >> > connections? >> >> It opens a socket on all addresses. >> # netstat -tanp | grep auditd >> tcp 0 0 0.0.0.0:60 0.0.0.0:* >> LISTEN >> 893/auditd >> >> > root@logs:/etc/audit# lsof -i :60 >> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-= > >> > 192.168.103.7:60 (ESTABLISHED) >> > >> > >> > How do I see that I am using libwrap? >> >> It should have a config line in auditd.conf. If you do not, it defaults = to >> yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. >> Odds >> are you put nothing there and the connection proceeds. If I were to >> guess, I'd >> say iptables is blocking your connection. >> >> > I have enable_krb5=3Dno in the >> > auditd.conf on the aggregative server. >> >> Good. Cause doing a krb5 connection without setting that up will cause i= t >> to >> fail also. I'd bet on iptables being the problem. >> >> -Steve >> >> >> > > > 192.168.103.7 is the IP address of the central log server. >> > > > >> > > > Notes: My settings are below: >> > > > >> > > > on server as well on client: >> > > > /etc/audisp/audisp-remote >> > > > >> > > > remote_server =3D 192.168.103.7 >> > > > port =3D 6999 >> > > > local_port =3D 6999 >> > > > transport =3D tcp >> > > > queue_file =3D /var/spool/audit/remote.log >> > > > mode =3D immediate >> > > > queue_depth =3D 2048 >> > > > format =3D ascii >> > > > network_retry_time =3D 100 >> > > >> > > This is probably not your problem but managed is the normal setting >> for >> > > format. And do you have enable_krb5 set to no? >> > > >> > > > I have enabled name_format=3DHOSTNAME only in one place (in >> > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf >> > > > >> > > > entries in auditd.conf: >> > > > >> > > > rtcp_listen_port =3D 6999 >> > > > tcp_listen_queue =3D 5 >> > > > tcp_max_per_addr =3D 10 >> > > > tcp_client_ports =3D 0-65535 >> > > > tcp_client_max_idle =3D 0 >> > > >> > > What do you have for use_libwrap and enable_krb5? >> > > >> > > The ausearcn info from the aggregating server should tell the reason >> why >> > > the >> > > connection is rejected. >> > > >> > > -Steve >> > > >> > > > I see the server is listening on the port 6999 as below but its no= t >> > > > accepting client request. >> > > > root@logs:/etc# lsof -i :6999 >> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP >> 192.168.103.7:6999 >> > > >> > > -> >> > > >> > > > 192.168.103.7:6999 (ESTABLISHED) >> > > > >> > > > >> > > > >> > > > Best Regards, >> > > > Rituraj B >> >> >> > --001a1144b42efe6ac9055aa40c1b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Steve, =C2=A0I should have = attached my config in previous mail:
Here is the config on the aggregatin= g server. (I see tcp_listen_port in auditd.conf and then there is mention o= f local port & port in audisp-remote.conf as well)
I do not see auditd listening on port 60 as per my previous= mail. (netstat output)

#
# This file controls the configuration of the audit daemon
#

log_file =3D = /var/log/audit/audit.log
log_format =3D RAW
=
log_group =3D root
priority_boost =3D 4
flush =3D INCREMENTAL
freq =3D 20
=
num_logs =3D 5
disp_qos =3D lossy
dispatcher =3D /sbin/audispd
= name_format =3D NONE
##name =3D mydomain
max_log_file =3D 6= =C2=A0
max_log_file_action =3D ROTATE
space_left =3D 75
space_left_action =3D SYSLOG
action_mail_acct =3D root
admin_space_left = =3D 50
admin_space_left_action =3D SUSPEND
<= div class=3D"gmail_default">disk_full_action =3D SUSPEND
disk_error_action =3D= SUSPEND
tcp_listen_port =3D 60
tcp= _listen_queue =3D 5
tcp_max_per_addr =3D 10
=
tcp_client_ports =3D 0-65535
tcp_client_max_idle = =3D 0
enable_krb5 =3D no
krb5_princip= al =3D auditd
use_libwrap =3D no
##k= rb5_key_file =3D /etc/audit/audit.key
root@guslogs:/etc/= audit# cat ../audisp/audisp-remote.conf=C2=A0
#
# This file controls the configuration of the audit remote=C2=A0=
# logging subsystem, audisp-remote.
= #

remote_server =3D 192.168.103.= 7
port =3D 60
<= font color=3D"#20124d" face=3D"verdana, sans-serif">local_port =3D 60
transport =3D tcp
queue_file =3D /var/spoo= l/audit/remote.log
mode =3D immediate
queue_depth =3D 2048
format =3D ascii
network_retry_time =3D 100
max_tries_per_record =3D 3=
max_time_per_record =3D 5
heartbeat_= timeout =3D 0=C2=A0

network_fail= ure_action =3D stop
disk_low_action =3D ignore
disk_full_action =3D ignore
disk_error_action = =3D syslog
remote_ending_action =3D reconnect
generic_error_action =3D syslog
generic_warning= _action =3D syslog
overflow_action =3D syslog
##enable_krb5 =3D no
##krb5_principal =3D=C2=A0=
##krb5_client_name =3D auditd
##krb5= _key_file =3D /etc/audisp/audisp-remote.key
=C2=A0

<= div class=3D"gmail_signature" data-smartmail=3D"gmail_signature">
= Best Regards,
Rituraj B
=

On Tue, Oct 3, 2017 at 6:22 PM, Rituraj Budd= hisagar <rituraj@vayana.com> wrote:
Hi Steve,=C2=A0

I did check IPtables and I am not having any rules in there. I have= allowed the connections in /etc/hosts.allow. But then I do not see auditd = listening on port 60.
It just shows "ESSTABLISHED" co= nnection on the aggregating server - which is itself!

root@guslog= s:/etc/audit# lsof -i :60
COMMAND =C2=A0 =C2=A0PID USER =C2=A0 = FD =C2=A0 TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 2146 roo= t =C2=A0 =C2=A03u =C2=A0IPv4 =C2=A020368 =C2=A0 =C2=A0 =C2=A00t0 =C2=A0TCP = 192.168.103.7:60->= 192.168.103.7:60 (ESTABLISHED)
root@guslogs:/etc/audit#=C2=A0
root@guslogs:/etc/audit# netstat -pan | grep 60
tcp =C2=A0= =C2=A0 =C2=A0 =C2=A00 =C2=A0 =C2=A0 =C2=A00 0.0.0.0:22 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A00.0.0.0:* =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 LISTEN =C2= =A0 =C2=A0 =C2=A01260/sshd =C2=A0 =C2=A0 =C2=A0=C2=A0
tcp =C2=A0 =C2=A010491 =C2= =A0 1360 192.168.103.= 7:60 =C2=A0 =C2=A0 =C2=A0 =C2=A0192.168.103.7:60 =C2=A0 =C2=A0 =C2=A0 =C2=A0ESTABLISHED = 2146/audisp-remote
tcp6 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 =C2=A0 =C2=A00 :::22 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :::* =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN =C2=A0 = =C2=A0 =C2=A01260/sshd =C2=A0 =C2=A0 =C2=A0=C2=A0
unix =C2=A02 =C2=A0 =C2=A0 =C2= =A0[ ACC ] =C2=A0 =C2=A0 STREAM =C2=A0 =C2=A0 LISTENING =C2=A0 =C2=A0 16055= =C2=A0 =C2=A01925/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/tmp/s= sh-h0brbTMA4a/agent.1925
unix =C2=A03 =C2=A0 =C2=A0 =C2=A0[ ] =C2=A0 =C2=A0= =C2=A0 =C2=A0 STREAM =C2=A0 =C2=A0 CONNECTED =C2=A0 =C2=A0 13777 =C2=A0 = =C2=A01260/sshd =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0
<= font color=3D"#20124d" face=3D"verdana, sans-serif">unix =C2=A02 =C2=A0 =C2= =A0 =C2=A0[ ] =C2=A0 =C2=A0 =C2=A0 =C2=A0 DGRAM =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A017760 =C2=A0 =C2=A01897/systemd = =C2=A0 =C2=A0 =C2=A0 =C2=A0
unix =C2=A03 =C2=A0 =C2=A0 =C2=A0[ ] =C2=A0 =C2=A0= =C2=A0 =C2=A0 STREAM =C2=A0 =C2=A0 CONNECTED =C2=A0 =C2=A0 16036 =C2=A0 = =C2=A01897/systemd =C2=A0 =C2=A0 =C2=A0 =C2=A0
unix =C2=A02 =C2=A0 =C2=A0 =C2=A0= [ ] =C2=A0 =C2=A0 =C2=A0 =C2=A0 DGRAM =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A020360 =C2=A0 =C2=A02136/auditd =C2=A0 =C2= =A0 =C2=A0 =C2=A0=C2=A0
unix =C2=A03 =C2=A0 =C2=A0 =C2=A0[ ] =C2=A0 =C2=A0 =C2= =A0 =C2=A0 STREAM =C2=A0 =C2=A0 CONNECTED =C2=A0 =C2=A0 13260 =C2=A0 =C2=A0= 1/init =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/run/systemd/journal= /stdout
root@guslogs:/etc/audit#=C2=A0
root@guslogs:/etc/audit# netstat -tanp | grep = auditd
root@guslogs:/etc/audit# iptables -L
Chain INPUT (po= licy ACCEPT)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 destination =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0

Chain FORWARD= (policy ACCEPT)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 destination =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0

Chain OUT= PUT (policy ACCEPT)
target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 destination =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0
root@g= uslogs:/etc/audit#=C2=A0
root@guslogs:/etc/audit# cat /etc/hosts.allow=C2=A0
# /etc/h= osts.allow: list of hosts that are allowed to access the system.
# =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 See the manual pages host= s_access(5) and hosts_options(5).
#
# Example: =C2=A0 =C2=A0ALL: LOCAL @some_netgroup=
# = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
= # If you're going = to protect the portmapper use the name "rpcbind" for the
# daemon name= . See rpcbind(8) and rpc.mountd(8) for further information.
#
<= font color=3D"#20124d" face=3D"verdana, sans-serif">
<= font color=3D"#20124d" face=3D"verdana, sans-serif">ALL: ALL
root@guslogs:/etc/a= udit#=C2=A0

<= br clear=3D"all">
Best Regards,
Rituraj B


On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb = <sgrubb@redhat.com> wrote:
On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote= :
> P
> =E2=80=8Blease see inline-
>
> regards
> =E2=80=8B
>
> On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wro= te:
> > > Hi
> > >
> > > I tried my best to configure the audisp-remote.
> > > I am getting below error on the client machine in /var/log/s= yslog.
> > >
> > > Oct=C2=A0 2 14:41:15 xxxxxx audisp-remote: Error connecting = to 19= 2.168.103.7:
> > > Connection refused
> >
> > On the server, what do you get for:
> >
> > ausearch --start recent -m DAEMON_ACCEPT -i
> >
> > The server side records some information about why it did not all= ow a
> > connection.
>
> =E2=80=8BI dont see any info in here.
>
> # ausearch --start recent -m DAEMON_ACCEPT -i
> <no matches>

Then its not connecting at all. Maybe your firewall is blocking it. = Maybe
selinux is blocking it? Once auditd sees its socket is readable, it calls accept(2) and there is no path through the code that doesn't log an eve= nt with
a reason. Every possible failure logs a distinct reason why the connection<= br> failed.


> I tried without --start & -i options as well.

--start today if you didn't connect within 10 minutes of running= the command.


> But when I do a tcpdump on central server, I do see requests coming in= . (I
> changed port to 60).
> # tcpdump -i eth1 '( port 60 )'
> 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 269451,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
> 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, = ack
> 4076269452, win 0, length 0
> 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 287474,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
> 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, = ack
> 18024, win 0, length 0
> 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 300652,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
> 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, = ack
> 31202, win 0, length 0
> 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 306151,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
>
> I think the service is only listening locally and not for remote
> connections?

It opens a socket on all addresses.
# netstat -tanp | grep auditd
tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:60=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0LISTEN
893/auditd

> root@logs:/etc/audit# lsof -i :60
> COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYPE DEVICE S= IZE/OFF NODE NAME
> audisp-re 1713 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 17433=C2=A0 =C2= =A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
>
>
> How do I see that I am using libwrap?

It should have a config line in auditd.conf. If you do not, it defau= lts to
yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. Odds=
are you put nothing there and the connection proceeds. If I were to guess, = I'd
say iptables is blocking your connection.

> I have enable_krb5=3Dno in the
> auditd.conf on the aggregative server.

Good. Cause doing a krb5 connection without setting that up will cau= se it to
fail also. I'd bet on iptables being the problem.

-Steve


> > > 192.168.103.7 is the IP address of the central log server. > > >
> > > Notes: My settings are below:
> > >
> > > on server as well on client:
> > > /etc/audisp/audisp-remote
> > >
> > > remote_server =3D 192.168.103.7
> > > port =3D 6999
> > > local_port =3D 6999
> > > transport =3D tcp
> > > queue_file =3D /var/spool/audit/remote.log
> > > mode =3D immediate
> > > queue_depth =3D 2048
> > > format =3D ascii
> > > network_retry_time =3D 100
> >
> > This is probably not your problem but managed is the normal setti= ng for
> > format. And do you have enable_krb5 set to no?
> >
> > > I have enabled name_format=3DHOSTNAME only in one place (in<= br> > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf=
> > >
> > > entries in auditd.conf:
> > >
> > > rtcp_listen_port =3D 6999
> > > tcp_listen_queue =3D 5
> > > tcp_max_per_addr =3D 10
> > > tcp_client_ports =3D 0-65535
> > > tcp_client_max_idle =3D 0
> >
> > What do you have for use_libwrap and enable_krb5?
> >
> > The ausearcn info from the aggregating server should tell the rea= son why
> > the
> > connection is rejected.
> >
> > -Steve
> >
> > > I see the server is listening on the port 6999 as below but = its not
> > > accepting client request.
> > > root@logs:/etc# lsof -i :6999
> > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYP= E DEVICE SIZE/OFF NODE NAME
> > > audisp-re 9091 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 33671= =C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:6999
> >
> > ->
> >
> > > 192.168.103.7:6999 (ESTABLISHED)
> > >
> > >
> > >
> > > Best Regards,
> > > Rituraj B




--001a1144b42efe6ac9055aa40c1b-- --===============7364880416078033214== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7364880416078033214==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audisp-remote - connection refused. Date: Tue, 03 Oct 2017 08:44:43 -0400 Message-ID: <4285053.hh7HfXqAiY@x2> References: <11869218.hX4XnSsCEN@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Rituraj Buddhisagar Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com T24gTW9uZGF5LCBPY3RvYmVyIDIsIDIwMTcgMTE6MzE6MTUgUE0gRURUIFJpdHVyYWogQnVkZGhp c2FnYXIgd3JvdGU6Cj4gUAo+IOKAi2xlYXNlIHNlZSBpbmxpbmUtCj4gCj4gcmVnYXJkcwo+IOKA iwo+IAo+IE9uIFR1ZSwgT2N0IDMsIDIwMTcgYXQgMzoyOCBBTSwgU3RldmUgR3J1YmIgPHNncnVi YkByZWRoYXQuY29tPiB3cm90ZToKPiA+IE9uIE1vbmRheSwgT2N0b2JlciAyLCAyMDE3IDI6NTU6 NTEgUE0gRURUIFJpdHVyYWogQnVkZGhpc2FnYXIgd3JvdGU6Cj4gPiA+IEhpCj4gPiA+IAo+ID4g PiBJIHRyaWVkIG15IGJlc3QgdG8gY29uZmlndXJlIHRoZSBhdWRpc3AtcmVtb3RlLgo+ID4gPiBJ IGFtIGdldHRpbmcgYmVsb3cgZXJyb3Igb24gdGhlIGNsaWVudCBtYWNoaW5lIGluIC92YXIvbG9n L3N5c2xvZy4KPiA+ID4gCj4gPiA+IE9jdCAgMiAxNDo0MToxNSB4eHh4eHggYXVkaXNwLXJlbW90 ZTogRXJyb3IgY29ubmVjdGluZyB0byAxOTIuMTY4LjEwMy43Ogo+ID4gPiBDb25uZWN0aW9uIHJl ZnVzZWQKPiA+IAo+ID4gT24gdGhlIHNlcnZlciwgd2hhdCBkbyB5b3UgZ2V0IGZvcjoKPiA+IAo+ ID4gYXVzZWFyY2ggLS1zdGFydCByZWNlbnQgLW0gREFFTU9OX0FDQ0VQVCAtaQo+ID4gCj4gPiBU aGUgc2VydmVyIHNpZGUgcmVjb3JkcyBzb21lIGluZm9ybWF0aW9uIGFib3V0IHdoeSBpdCBkaWQg bm90IGFsbG93IGEKPiA+IGNvbm5lY3Rpb24uCj4gCj4g4oCLSSBkb250IHNlZSBhbnkgaW5mbyBp biBoZXJlLgo+IAo+ICMgYXVzZWFyY2ggLS1zdGFydCByZWNlbnQgLW0gREFFTU9OX0FDQ0VQVCAt aQo+IDxubyBtYXRjaGVzPgoKVGhlbiBpdHMgbm90IGNvbm5lY3RpbmcgYXQgYWxsLiBNYXliZSB5 b3VyIGZpcmV3YWxsIGlzIGJsb2NraW5nIGl0LiBNYXliZSAKc2VsaW51eCBpcyBibG9ja2luZyBp dD8gT25jZSBhdWRpdGQgc2VlcyBpdHMgc29ja2V0IGlzIHJlYWRhYmxlLCBpdCBjYWxscyAKYWNj ZXB0KDIpIGFuZCB0aGVyZSBpcyBubyBwYXRoIHRocm91Z2ggdGhlIGNvZGUgdGhhdCBkb2Vzbid0 IGxvZyBhbiBldmVudCB3aXRoIAphIHJlYXNvbi4gRXZlcnkgcG9zc2libGUgZmFpbHVyZSBsb2dz IGEgZGlzdGluY3QgcmVhc29uIHdoeSB0aGUgY29ubmVjdGlvbiAKZmFpbGVkLgoKCj4gSSB0cmll ZCB3aXRob3V0IC0tc3RhcnQgJiAtaSBvcHRpb25zIGFzIHdlbGwuCgotLXN0YXJ0IHRvZGF5IGlm IHlvdSBkaWRuJ3QgY29ubmVjdCB3aXRoaW4gMTAgbWludXRlcyBvZiBydW5uaW5nIHRoZSBjb21t YW5kLgogCgo+IEJ1dCB3aGVuIEkgZG8gYSB0Y3BkdW1wIG9uIGNlbnRyYWwgc2VydmVyLCBJIGRv IHNlZSByZXF1ZXN0cyBjb21pbmcgaW4uIChJCj4gY2hhbmdlZCBwb3J0IHRvIDYwKS4KPiAjIHRj cGR1bXAgLWkgZXRoMSAnKCBwb3J0IDYwICknCj4gMDg6NTM6NTYuNTk3OTQ2IElQIGd1c20xLjYw ID4gMTkyLjE2OC4xMDMuNy42MDogRmxhZ3MgW1NdLCBzZXEgNDA3NjI2OTQ1MSwKPiB3aW4gMjky MDAsIG9wdGlvbnMgW21zcyAxNDYwLHNhY2tPSyxUUyB2YWwgMjA3MzE2IGVjciAwLG5vcCx3c2Nh bGUgN10sCj4gbGVuZ3RoIDAKPiAwODo1Mzo1Ni41OTc5ODAgSVAgMTkyLjE2OC4xMDMuNy42MCA+ IGd1c20xLjYwOiBGbGFncyBbUi5dLCBzZXEgMCwgYWNrCj4gNDA3NjI2OTQ1Miwgd2luIDAsIGxl bmd0aCAwCj4gMDg6NTM6NTYuNTk4ODQzIElQIGd1c20xLjYwID4gMTkyLjE2OC4xMDMuNy42MDog RmxhZ3MgW1NdLCBzZXEgNDA3NjI4NzQ3NCwKPiB3aW4gMjkyMDAsIG9wdGlvbnMgW21zcyAxNDYw LHNhY2tPSyxUUyB2YWwgMjA3MzE2IGVjciAwLG5vcCx3c2NhbGUgN10sCj4gbGVuZ3RoIDAKPiAw ODo1Mzo1Ni41OTg4NTggSVAgMTkyLjE2OC4xMDMuNy42MCA+IGd1c20xLjYwOiBGbGFncyBbUi5d LCBzZXEgMCwgYWNrCj4gMTgwMjQsIHdpbiAwLCBsZW5ndGggMAo+IDA4OjUzOjU2LjU5OTE2NCBJ UCBndXNtMS42MCA+IDE5Mi4xNjguMTAzLjcuNjA6IEZsYWdzIFtTXSwgc2VxIDQwNzYzMDA2NTIs Cj4gd2luIDI5MjAwLCBvcHRpb25zIFttc3MgMTQ2MCxzYWNrT0ssVFMgdmFsIDIwNzMxNiBlY3Ig MCxub3Asd3NjYWxlIDddLAo+IGxlbmd0aCAwCj4gMDg6NTM6NTYuNTk5MTc1IElQIDE5Mi4xNjgu MTAzLjcuNjAgPiBndXNtMS42MDogRmxhZ3MgW1IuXSwgc2VxIDAsIGFjawo+IDMxMjAyLCB3aW4g MCwgbGVuZ3RoIDAKPiAwODo1Mzo1Ni41OTk2NTcgSVAgZ3VzbTEuNjAgPiAxOTIuMTY4LjEwMy43 LjYwOiBGbGFncyBbU10sIHNlcSA0MDc2MzA2MTUxLAo+IHdpbiAyOTIwMCwgb3B0aW9ucyBbbXNz IDE0NjAsc2Fja09LLFRTIHZhbCAyMDczMTYgZWNyIDAsbm9wLHdzY2FsZSA3XSwKPiBsZW5ndGgg MAo+IAo+IEkgdGhpbmsgdGhlIHNlcnZpY2UgaXMgb25seSBsaXN0ZW5pbmcgbG9jYWxseSBhbmQg bm90IGZvciByZW1vdGUKPiBjb25uZWN0aW9ucz8KCkl0IG9wZW5zIGEgc29ja2V0IG9uIGFsbCBh ZGRyZXNzZXMuCiMgbmV0c3RhdCAtdGFucCB8IGdyZXAgYXVkaXRkCnRjcCAgICAgICAgMCAgICAg IDAgMC4wLjAuMDo2MCAgICAgICAgICAgICAgMC4wLjAuMDoqICAgICAgICAgICAgICAgTElTVEVO ICAgICAgCjg5My9hdWRpdGQKCj4gcm9vdEBsb2dzOi9ldGMvYXVkaXQjIGxzb2YgLWkgOjYwCj4g Q09NTUFORCAgICBQSUQgVVNFUiAgIEZEICAgVFlQRSBERVZJQ0UgU0laRS9PRkYgTk9ERSBOQU1F Cj4gYXVkaXNwLXJlIDE3MTMgcm9vdCAgICAzdSAgSVB2NCAgMTc0MzMgICAgICAwdDAgIFRDUCAx OTIuMTY4LjEwMy43OjYwLT4KPiAxOTIuMTY4LjEwMy43OjYwIChFU1RBQkxJU0hFRCkKPiAKPiAK PiBIb3cgZG8gSSBzZWUgdGhhdCBJIGFtIHVzaW5nIGxpYndyYXA/CgpJdCBzaG91bGQgaGF2ZSBh IGNvbmZpZyBsaW5lIGluIGF1ZGl0ZC5jb25mLiBJZiB5b3UgZG8gbm90LCBpdCBkZWZhdWx0cyB0 byAKeWVzLiBUaGF0IG1lYW5zIGl0IGxvb2tzIGluIC9ldGMvaG9zdHMuYWxsb3cgYW5kIGhvc3Rz LmRlbnkgdG8gZGVjaWRlLiBPZGRzIAphcmUgeW91IHB1dCBub3RoaW5nIHRoZXJlIGFuZCB0aGUg Y29ubmVjdGlvbiBwcm9jZWVkcy4gSWYgSSB3ZXJlIHRvIGd1ZXNzLCBJJ2QgCnNheSBpcHRhYmxl cyBpcyBibG9ja2luZyB5b3VyIGNvbm5lY3Rpb24uCgo+IEkgaGF2ZSBlbmFibGVfa3JiNT1ubyBp biB0aGUKPiBhdWRpdGQuY29uZiBvbiB0aGUgYWdncmVnYXRpdmUgc2VydmVyLgoKR29vZC4gQ2F1 c2UgZG9pbmcgYSBrcmI1IGNvbm5lY3Rpb24gd2l0aG91dCBzZXR0aW5nIHRoYXQgdXAgd2lsbCBj YXVzZSBpdCB0byAKZmFpbCBhbHNvLiBJJ2QgYmV0IG9uIGlwdGFibGVzIGJlaW5nIHRoZSBwcm9i bGVtLgoKLVN0ZXZlCgoKPiA+ID4gMTkyLjE2OC4xMDMuNyBpcyB0aGUgSVAgYWRkcmVzcyBvZiB0 aGUgY2VudHJhbCBsb2cgc2VydmVyLgo+ID4gPiAKPiA+ID4gTm90ZXM6IE15IHNldHRpbmdzIGFy ZSBiZWxvdzoKPiA+ID4gCj4gPiA+IG9uIHNlcnZlciBhcyB3ZWxsIG9uIGNsaWVudDoKPiA+ID4g L2V0Yy9hdWRpc3AvYXVkaXNwLXJlbW90ZQo+ID4gPiAKPiA+ID4gcmVtb3RlX3NlcnZlciA9IDE5 Mi4xNjguMTAzLjcKPiA+ID4gcG9ydCA9IDY5OTkKPiA+ID4gbG9jYWxfcG9ydCA9IDY5OTkKPiA+ ID4gdHJhbnNwb3J0ID0gdGNwCj4gPiA+IHF1ZXVlX2ZpbGUgPSAvdmFyL3Nwb29sL2F1ZGl0L3Jl bW90ZS5sb2cKPiA+ID4gbW9kZSA9IGltbWVkaWF0ZQo+ID4gPiBxdWV1ZV9kZXB0aCA9IDIwNDgK PiA+ID4gZm9ybWF0ID0gYXNjaWkKPiA+ID4gbmV0d29ya19yZXRyeV90aW1lID0gMTAwCj4gPiAK PiA+IFRoaXMgaXMgcHJvYmFibHkgbm90IHlvdXIgcHJvYmxlbSBidXQgbWFuYWdlZCBpcyB0aGUg bm9ybWFsIHNldHRpbmcgZm9yCj4gPiBmb3JtYXQuIEFuZCBkbyB5b3UgaGF2ZSBlbmFibGVfa3Ji NSBzZXQgdG8gbm8/Cj4gPiAKPiA+ID4gSSBoYXZlIGVuYWJsZWQgbmFtZV9mb3JtYXQ9SE9TVE5B TUUgb25seSBpbiBvbmUgcGxhY2UgKGluCj4gPiA+IC9ldGMvYXVkaXNwL2F1ZGlzcGQuY29uZiAt IGFuZCBub3QgaW4gL2V0Yy9hdWRpdC9hdWRpdGQuY29uZgo+ID4gPiAKPiA+ID4gZW50cmllcyBp biBhdWRpdGQuY29uZjoKPiA+ID4gCj4gPiA+IHJ0Y3BfbGlzdGVuX3BvcnQgPSA2OTk5Cj4gPiA+ IHRjcF9saXN0ZW5fcXVldWUgPSA1Cj4gPiA+IHRjcF9tYXhfcGVyX2FkZHIgPSAxMAo+ID4gPiB0 Y3BfY2xpZW50X3BvcnRzID0gMC02NTUzNQo+ID4gPiB0Y3BfY2xpZW50X21heF9pZGxlID0gMAo+ ID4gCj4gPiBXaGF0IGRvIHlvdSBoYXZlIGZvciB1c2VfbGlid3JhcCBhbmQgZW5hYmxlX2tyYjU/ Cj4gPiAKPiA+IFRoZSBhdXNlYXJjbiBpbmZvIGZyb20gdGhlIGFnZ3JlZ2F0aW5nIHNlcnZlciBz aG91bGQgdGVsbCB0aGUgcmVhc29uIHdoeQo+ID4gdGhlCj4gPiBjb25uZWN0aW9uIGlzIHJlamVj dGVkLgo+ID4gCj4gPiAtU3RldmUKPiA+IAo+ID4gPiBJIHNlZSB0aGUgc2VydmVyIGlzIGxpc3Rl bmluZyBvbiB0aGUgcG9ydCA2OTk5IGFzIGJlbG93IGJ1dCBpdHMgbm90Cj4gPiA+IGFjY2VwdGlu ZyBjbGllbnQgcmVxdWVzdC4KPiA+ID4gcm9vdEBsb2dzOi9ldGMjIGxzb2YgLWkgOjY5OTkKPiA+ ID4gQ09NTUFORCAgICBQSUQgVVNFUiAgIEZEICAgVFlQRSBERVZJQ0UgU0laRS9PRkYgTk9ERSBO QU1FCj4gPiA+IGF1ZGlzcC1yZSA5MDkxIHJvb3QgICAgM3UgIElQdjQgIDMzNjcxICAgICAgMHQw ICBUQ1AgMTkyLjE2OC4xMDMuNzo2OTk5Cj4gPiAKPiA+IC0+Cj4gPiAKPiA+ID4gMTkyLjE2OC4x MDMuNzo2OTk5IChFU1RBQkxJU0hFRCkKPiA+ID4gCj4gPiA+IAo+ID4gPiAKPiA+ID4gQmVzdCBS ZWdhcmRzLAo+ID4gPiBSaXR1cmFqIEIKCgoKLS0KTGludXgtYXVkaXQgbWFpbGluZyBsaXN0Ckxp bnV4LWF1ZGl0QHJlZGhhdC5jb20KaHR0cHM6Ly93d3cucmVkaGF0LmNvbS9tYWlsbWFuL2xpc3Rp bmZvL2xpbnV4LWF1ZGl0 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Tue, 3 Oct 2017 18:22:48 +0530 Message-ID: References: <11869218.hX4XnSsCEN@x2> <4285053.hh7HfXqAiY@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4246236982974251695==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7F97517ADE for ; Tue, 3 Oct 2017 12:52:52 +0000 (UTC) Received: from mail-qk0-f169.google.com (mail-qk0-f169.google.com [209.85.220.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 517437EA95 for ; Tue, 3 Oct 2017 12:52:50 +0000 (UTC) Received: by mail-qk0-f169.google.com with SMTP id m189so4163797qke.4 for ; Tue, 03 Oct 2017 05:52:50 -0700 (PDT) In-Reply-To: <4285053.hh7HfXqAiY@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============4246236982974251695== Content-Type: multipart/alternative; boundary="f403043b2478f09a66055aa3f7b1" --f403043b2478f09a66055aa3f7b1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Steve, I did check IPtables and I am not having any rules in there. I have allowed the connections in /etc/hosts.allow. But then I do not see auditd listening on port 60. It just shows "ESSTABLISHED" connection on the aggregating server - which is itself! root@guslogs:/etc/audit# lsof -i :60 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> 192.168.103.7:60 (ESTABLISHED) root@guslogs:/etc/audit# root@guslogs:/etc/audit# netstat -pan | grep 60 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1260/sshd tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 ESTABLISHED 2146/audisp-remote tcp6 0 0 :::22 :::* LISTEN 1260/sshd unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 /tmp/ssh-h0brbTMA4a/agent.1925 unix 3 [ ] STREAM CONNECTED 13777 1260/sshd unix 2 [ ] DGRAM 17760 1897/systemd unix 3 [ ] STREAM CONNECTED 16036 1897/systemd unix 2 [ ] DGRAM 20360 2136/auditd unix 3 [ ] STREAM CONNECTED 13260 1/init /run/systemd/journal/stdout root@guslogs:/etc/audit# root@guslogs:/etc/audit# netstat -tanp | grep auditd root@guslogs:/etc/audit# root@guslogs:/etc/audit# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@guslogs:/etc/audit# root@guslogs:/etc/audit# cat /etc/hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "rpcbind" for the # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. # ALL: ALL root@guslogs:/etc/audit# Best Regards, Rituraj B On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb wrote: > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: > > P > > =E2=80=8Blease see inline- > > > > regards > > =E2=80=8B > > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb wrote: > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote: > > > > Hi > > > > > > > > I tried my best to configure the audisp-remote. > > > > I am getting below error on the client machine in /var/log/syslog. > > > > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to > 192.168.103.7: > > > > Connection refused > > > > > > On the server, what do you get for: > > > > > > ausearch --start recent -m DAEMON_ACCEPT -i > > > > > > The server side records some information about why it did not allow a > > > connection. > > > > =E2=80=8BI dont see any info in here. > > > > # ausearch --start recent -m DAEMON_ACCEPT -i > > > > Then its not connecting at all. Maybe your firewall is blocking it. Maybe > selinux is blocking it? Once auditd sees its socket is readable, it calls > accept(2) and there is no path through the code that doesn't log an event > with > a reason. Every possible failure logs a distinct reason why the connectio= n > failed. > > > > I tried without --start & -i options as well. > > --start today if you didn't connect within 10 minutes of running the > command. > > > > But when I do a tcpdump on central server, I do see requests coming in. > (I > > changed port to 60). > > # tcpdump -i eth1 '( port 60 )' > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076269451, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > 4076269452, win 0, length 0 > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076287474, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > 18024, win 0, length 0 > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076300652, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack > > 31202, win 0, length 0 > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > 4076306151, > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7], > > length 0 > > > > I think the service is only listening locally and not for remote > > connections? > > It opens a socket on all addresses. > # netstat -tanp | grep auditd > tcp 0 0 0.0.0.0:60 0.0.0.0:* LISTE= N > 893/auditd > > > root@logs:/etc/audit# lsof -i :60 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:60-> > > 192.168.103.7:60 (ESTABLISHED) > > > > > > How do I see that I am using libwrap? > > It should have a config line in auditd.conf. If you do not, it defaults t= o > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. Od= ds > are you put nothing there and the connection proceeds. If I were to guess= , > I'd > say iptables is blocking your connection. > > > I have enable_krb5=3Dno in the > > auditd.conf on the aggregative server. > > Good. Cause doing a krb5 connection without setting that up will cause it > to > fail also. I'd bet on iptables being the problem. > > -Steve > > > > > > 192.168.103.7 is the IP address of the central log server. > > > > > > > > Notes: My settings are below: > > > > > > > > on server as well on client: > > > > /etc/audisp/audisp-remote > > > > > > > > remote_server =3D 192.168.103.7 > > > > port =3D 6999 > > > > local_port =3D 6999 > > > > transport =3D tcp > > > > queue_file =3D /var/spool/audit/remote.log > > > > mode =3D immediate > > > > queue_depth =3D 2048 > > > > format =3D ascii > > > > network_retry_time =3D 100 > > > > > > This is probably not your problem but managed is the normal setting f= or > > > format. And do you have enable_krb5 set to no? > > > > > > > I have enabled name_format=3DHOSTNAME only in one place (in > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > > > > > entries in auditd.conf: > > > > > > > > rtcp_listen_port =3D 6999 > > > > tcp_listen_queue =3D 5 > > > > tcp_max_per_addr =3D 10 > > > > tcp_client_ports =3D 0-65535 > > > > tcp_client_max_idle =3D 0 > > > > > > What do you have for use_libwrap and enable_krb5? > > > > > > The ausearcn info from the aggregating server should tell the reason > why > > > the > > > connection is rejected. > > > > > > -Steve > > > > > > > I see the server is listening on the port 6999 as below but its not > > > > accepting client request. > > > > root@logs:/etc# lsof -i :6999 > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP > 192.168.103.7:6999 > > > > > > -> > > > > > > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > > > > > > > > > Best Regards, > > > > Rituraj B > > > --f403043b2478f09a66055aa3f7b1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Steve,=C2=A0

I did che= ck IPtables and I am not having any rules in there. I have allowed the conn= ections in /etc/hosts.allow. But then I do not see auditd listening on port= 60.
It just shows "ESSTABLISHED&q= uot; connection on the aggregating server - which is itself!

root@gu= slogs:/etc/audit# lsof -i :60
COMMAND =C2=A0 =C2=A0PID U= SER =C2=A0 FD =C2=A0 TYPE DEVICE SIZE/OFF NODE NAME
audisp-re 2146 root =C2=A0 =C2=A03u =C2=A0IPv4 =C2=A020368 =C2= =A0 =C2=A0 =C2=A00t0 =C2=A0TCP 192.168.103.7:60->192.168.103.7:60 (ESTABLISHED)
roo= t@guslogs:/etc/audit#=C2=A0
root@guslogs:/etc/audit# net= stat -pan | grep 60
tcp= =C2=A0 =C2=A0 =C2=A0 =C2=A00 =C2=A0 =C2=A0 =C2=A00 0.0.0.0:22 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0= .0:* =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 LISTEN =C2=A0 =C2=A0 = =C2=A01260/sshd =C2=A0 =C2=A0 =C2=A0=C2=A0
tcp =C2=A0 = =C2=A010491 =C2=A0 1360 192.168.103.7:6= 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0192.16= 8.103.7:60 =C2=A0 =C2=A0 =C2=A0 =C2=A0ESTABLISHED 2146/audisp-remote
tcp6 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 =C2=A0 =C2=A00 :::22 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :::* =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN =C2=A0= =C2=A0 =C2=A01260/sshd =C2=A0 =C2=A0 =C2=A0=C2=A0
uni= x =C2=A02 =C2=A0 =C2=A0 =C2=A0[ ACC ] =C2=A0 =C2=A0 STREAM =C2=A0 =C2=A0 LI= STENING =C2=A0 =C2=A0 16055 =C2=A0 =C2=A01925/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0/tmp/ssh-h0brbTMA4a/agent.1925
uni= x =C2=A03 =C2=A0 =C2=A0 =C2=A0[ ] =C2=A0 =C2=A0 =C2=A0 =C2=A0 STREAM =C2=A0= =C2=A0 CONNECTED =C2=A0 =C2=A0 13777 =C2=A0 =C2=A01260/sshd =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0=C2=A0
unix =C2=A02 =C2=A0 =C2=A0 = =C2=A0[ ] =C2=A0 =C2=A0 =C2=A0 =C2=A0 DGRAM =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A017760 =C2=A0 =C2=A01897/systemd =C2= =A0 =C2=A0 =C2=A0 =C2=A0
unix =C2=A03 =C2=A0 =C2=A0 =C2= =A0[ ] =C2=A0 =C2=A0 =C2=A0 =C2=A0 STREAM =C2=A0 =C2=A0 CONNECTED =C2=A0 = =C2=A0 16036 =C2=A0 =C2=A01897/systemd =C2=A0 =C2=A0 =C2=A0 =C2=A0
unix =C2=A02 =C2=A0 =C2=A0 =C2=A0[ ] =C2=A0 =C2=A0 =C2=A0 =C2=A0= DGRAM =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A020360 =C2=A0 =C2=A02136/auditd =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0<= /div>
unix =C2=A03 =C2=A0 =C2=A0 =C2=A0[ ] =C2=A0 =C2=A0 =C2=A0 =C2= =A0 STREAM =C2=A0 =C2=A0 CONNECTED =C2=A0 =C2=A0 13260 =C2=A0 =C2=A01/init = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/run/systemd/journal/stdout=
root@guslogs:/etc/audit#=C2=A0
roo= t@guslogs:/etc/audit# netstat -tanp | grep auditd
root@g= uslogs:/etc/audit#=C2=A0
root@guslogs:/etc/audit# iptabl= es -L
Chain INPUT (policy ACCEPT)
tar= get =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 destination =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0
Chain FORWARD (policy ACCEPT)
tar= get =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 destination =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0
Chain OUTPUT (policy ACCEPT)
tar= get =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 destination =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0
ro= ot@guslogs:/etc/audit#=C2=A0
root@guslogs:/etc/audit# ca= t /etc/hosts.allow=C2=A0
# /etc/hosts.allow: list of hos= ts that are allowed to access the system.
# =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 See the manual pages h= osts_access(5) and hosts_options(5).
#
# = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ALL: .foobar.edu EXCEPT termi= nalserver.foobar.edu
#
# If you&#= 39;re going to protect the portmapper use the name "rpcbind" for = the
# daemon name. See rpcbind(8) and rpc.mountd(8) fo= r further information.
#

<= /div>
ALL: ALL
root@guslogs:/etc/audit#=C2=A0


<= div dir=3D"ltr">
Best Regards,
Rituraj B

On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb = <sgrubb@redhat.com> wrote:
On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhi= sagar wrote:
> P
> =E2=80=8Blease see inline-
>
> regards
> =E2=80=8B
>
> On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wro= te:
> > > Hi
> > >
> > > I tried my best to configure the audisp-remote.
> > > I am getting below error on the client machine in /var/log/s= yslog.
> > >
> > > Oct=C2=A0 2 14:41:15 xxxxxx audisp-remote: Error connecting = to 19= 2.168.103.7:
> > > Connection refused
> >
> > On the server, what do you get for:
> >
> > ausearch --start recent -m DAEMON_ACCEPT -i
> >
> > The server side records some information about why it did not all= ow a
> > connection.
>
> =E2=80=8BI dont see any info in here.
>
> # ausearch --start recent -m DAEMON_ACCEPT -i
> <no matches>

Then its not connecting at all. Maybe your firewall is blocking it. = Maybe
selinux is blocking it? Once auditd sees its socket is readable, it calls accept(2) and there is no path through the code that doesn't log an eve= nt with
a reason. Every possible failure logs a distinct reason why the connection<= br> failed.


> I tried without --start & -i options as well.

--start today if you didn't connect within 10 minutes of running= the command.


> But when I do a tcpdump on central server, I do see requests coming in= . (I
> changed port to 60).
> # tcpdump -i eth1 '( port 60 )'
> 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 269451,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
> 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, = ack
> 4076269452, win 0, length 0
> 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 287474,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
> 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, = ack
> 18024, win 0, length 0
> 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 300652,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
> 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, = ack
> 31202, win 0, length 0
> 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq 4076= 306151,
> win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],=
> length 0
>
> I think the service is only listening locally and not for remote
> connections?

It opens a socket on all addresses.
# netstat -tanp | grep auditd
tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:60=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0LISTEN
893/auditd

> root@logs:/etc/audit# lsof -i :60
> COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYPE DEVICE S= IZE/OFF NODE NAME
> audisp-re 1713 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 17433=C2=A0 =C2= =A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
>
>
> How do I see that I am using libwrap?

It should have a config line in auditd.conf. If you do not, it defau= lts to
yes. That means it looks in /etc/hosts.allow and hosts.deny to decide. Odds=
are you put nothing there and the connection proceeds. If I were to guess, = I'd
say iptables is blocking your connection.

> I have enable_krb5=3Dno in the
> auditd.conf on the aggregative server.

Good. Cause doing a krb5 connection without setting that up will cau= se it to
fail also. I'd bet on iptables being the problem.

-Steve


> > > 192.168.103.7 is the IP address of the central log server. > > >
> > > Notes: My settings are below:
> > >
> > > on server as well on client:
> > > /etc/audisp/audisp-remote
> > >
> > > remote_server =3D 192.168.103.7
> > > port =3D 6999
> > > local_port =3D 6999
> > > transport =3D tcp
> > > queue_file =3D /var/spool/audit/remote.log
> > > mode =3D immediate
> > > queue_depth =3D 2048
> > > format =3D ascii
> > > network_retry_time =3D 100
> >
> > This is probably not your problem but managed is the normal setti= ng for
> > format. And do you have enable_krb5 set to no?
> >
> > > I have enabled name_format=3DHOSTNAME only in one place (in<= br> > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf=
> > >
> > > entries in auditd.conf:
> > >
> > > rtcp_listen_port =3D 6999
> > > tcp_listen_queue =3D 5
> > > tcp_max_per_addr =3D 10
> > > tcp_client_ports =3D 0-65535
> > > tcp_client_max_idle =3D 0
> >
> > What do you have for use_libwrap and enable_krb5?
> >
> > The ausearcn info from the aggregating server should tell the rea= son why
> > the
> > connection is rejected.
> >
> > -Steve
> >
> > > I see the server is listening on the port 6999 as below but = its not
> > > accepting client request.
> > > root@logs:/etc# lsof -i :6999
> > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYP= E DEVICE SIZE/OFF NODE NAME
> > > audisp-re 9091 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 33671= =C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:6999
> >
> > ->
> >
> > > 192.168.103.7:6999 (ESTABLISHED)
> > >
> > >
> > >
> > > Best Regards,
> > > Rituraj B



--f403043b2478f09a66055aa3f7b1-- --===============4246236982974251695== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4246236982974251695==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audisp-remote - connection refused. Date: Tue, 03 Oct 2017 11:08:57 -0400 Message-ID: <5167956.shIrRISz9z@x2> References: <4285053.hh7HfXqAiY@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Rituraj Buddhisagar Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com T24gVHVlc2RheSwgT2N0b2JlciAzLCAyMDE3IDg6NTI6NDggQU0gRURUIFJpdHVyYWogQnVkZGhp c2FnYXIgd3JvdGU6Cj4gSGkgU3RldmUsCj4gCj4gSSBkaWQgY2hlY2sgSVB0YWJsZXMgYW5kIEkg YW0gbm90IGhhdmluZyBhbnkgcnVsZXMgaW4gdGhlcmUuIEkgaGF2ZSBhbGxvd2VkCj4gdGhlIGNv bm5lY3Rpb25zIGluIC9ldGMvaG9zdHMuYWxsb3cuIEJ1dCB0aGVuIEkgZG8gbm90IHNlZSBhdWRp dGQgbGlzdGVuaW5nCj4gb24gcG9ydCA2MC4KPiBJdCBqdXN0IHNob3dzICJFU1NUQUJMSVNIRUQi IGNvbm5lY3Rpb24gb24gdGhlIGFnZ3JlZ2F0aW5nIHNlcnZlciAtIHdoaWNoCj4gaXMgaXRzZWxm IQoKWW91IHNob3VsZCBub3QgZW5hYmxlIGF1ZGlzcC1yZW1vdGUgb24gdGhlIGFnZ3JlZ2F0aW5n IHNlcnZlci4gQXVkaXRkIGhhbmRsZXMgCmluY29taW5nIGNvbm5lY3Rpb25zIGl0c2VsZi4KCi1T dGV2ZQoKPiByb290QGd1c2xvZ3M6L2V0Yy9hdWRpdCMgbHNvZiAtaSA6NjAKPiBDT01NQU5EICAg IFBJRCBVU0VSICAgRkQgICBUWVBFIERFVklDRSBTSVpFL09GRiBOT0RFIE5BTUUKPiBhdWRpc3At cmUgMjE0NiByb290ICAgIDN1ICBJUHY0ICAyMDM2OCAgICAgIDB0MCAgVENQIDE5Mi4xNjguMTAz Ljc6NjAtPgo+IDE5Mi4xNjguMTAzLjc6NjAgKEVTVEFCTElTSEVEKQo+IHJvb3RAZ3VzbG9nczov ZXRjL2F1ZGl0Iwo+IHJvb3RAZ3VzbG9nczovZXRjL2F1ZGl0IyBuZXRzdGF0IC1wYW4gfCBncmVw IDYwCj4gdGNwICAgICAgICAwICAgICAgMCAwLjAuMC4wOjIyICAgICAgICAgICAgICAwLjAuMC4w OiogICAgICAgICAgICAgICBMSVNURU4KPiAgICAgIDEyNjAvc3NoZAo+IHRjcCAgICAxMDQ5MSAg IDEzNjAgMTkyLjE2OC4xMDMuNzo2MCAgICAgICAgMTkyLjE2OC4xMDMuNzo2MAo+ICBFU1RBQkxJ U0hFRCAyMTQ2L2F1ZGlzcC1yZW1vdGUKPiB0Y3A2ICAgICAgIDAgICAgICAwIDo6OjIyICAgICAg ICAgICAgICAgICAgIDo6OiogICAgICAgICAgICAgICAgICAgIExJU1RFTgo+ICAgICAgMTI2MC9z c2hkCj4gdW5peCAgMiAgICAgIFsgQUNDIF0gICAgIFNUUkVBTSAgICAgTElTVEVOSU5HICAgICAx NjA1NSAgICAxOTI1LzAKPiAgICAvdG1wL3NzaC1oMGJyYlRNQTRhL2FnZW50LjE5MjUKPiB1bml4 ICAzICAgICAgWyBdICAgICAgICAgU1RSRUFNICAgICBDT05ORUNURUQgICAgIDEzNzc3ICAgIDEy NjAvc3NoZAo+IAo+IHVuaXggIDIgICAgICBbIF0gICAgICAgICBER1JBTSAgICAgICAgICAgICAg ICAgICAgMTc3NjAgICAgMTg5Ny9zeXN0ZW1kCj4gCj4gdW5peCAgMyAgICAgIFsgXSAgICAgICAg IFNUUkVBTSAgICAgQ09OTkVDVEVEICAgICAxNjAzNiAgICAxODk3L3N5c3RlbWQKPiAKPiB1bml4 ICAyICAgICAgWyBdICAgICAgICAgREdSQU0gICAgICAgICAgICAgICAgICAgIDIwMzYwICAgIDIx MzYvYXVkaXRkCj4gCj4gdW5peCAgMyAgICAgIFsgXSAgICAgICAgIFNUUkVBTSAgICAgQ09OTkVD VEVEICAgICAxMzI2MCAgICAxL2luaXQKPiAgICAvcnVuL3N5c3RlbWQvam91cm5hbC9zdGRvdXQK PiByb290QGd1c2xvZ3M6L2V0Yy9hdWRpdCMKPiByb290QGd1c2xvZ3M6L2V0Yy9hdWRpdCMgbmV0 c3RhdCAtdGFucCB8IGdyZXAgYXVkaXRkCj4gcm9vdEBndXNsb2dzOi9ldGMvYXVkaXQjCj4gcm9v dEBndXNsb2dzOi9ldGMvYXVkaXQjIGlwdGFibGVzIC1MCj4gQ2hhaW4gSU5QVVQgKHBvbGljeSBB Q0NFUFQpCj4gdGFyZ2V0ICAgICBwcm90IG9wdCBzb3VyY2UgICAgICAgICAgICAgICBkZXN0aW5h dGlvbgo+IAo+IENoYWluIEZPUldBUkQgKHBvbGljeSBBQ0NFUFQpCj4gdGFyZ2V0ICAgICBwcm90 IG9wdCBzb3VyY2UgICAgICAgICAgICAgICBkZXN0aW5hdGlvbgo+IAo+IENoYWluIE9VVFBVVCAo cG9saWN5IEFDQ0VQVCkKPiB0YXJnZXQgICAgIHByb3Qgb3B0IHNvdXJjZSAgICAgICAgICAgICAg IGRlc3RpbmF0aW9uCj4gcm9vdEBndXNsb2dzOi9ldGMvYXVkaXQjCj4gcm9vdEBndXNsb2dzOi9l dGMvYXVkaXQjIGNhdCAvZXRjL2hvc3RzLmFsbG93Cj4gIyAvZXRjL2hvc3RzLmFsbG93OiBsaXN0 IG9mIGhvc3RzIHRoYXQgYXJlIGFsbG93ZWQgdG8gYWNjZXNzIHRoZSBzeXN0ZW0uCj4gIyAgICAg ICAgICAgICAgICAgICBTZWUgdGhlIG1hbnVhbCBwYWdlcyBob3N0c19hY2Nlc3MoNSkgYW5kCj4g aG9zdHNfb3B0aW9ucyg1KS4KPiAjCj4gIyBFeGFtcGxlOiAgICBBTEw6IExPQ0FMIEBzb21lX25l dGdyb3VwCj4gIyAgICAgICAgICAgICBBTEw6IC5mb29iYXIuZWR1IEVYQ0VQVCB0ZXJtaW5hbHNl cnZlci5mb29iYXIuZWR1Cj4gIwo+ICMgSWYgeW91J3JlIGdvaW5nIHRvIHByb3RlY3QgdGhlIHBv cnRtYXBwZXIgdXNlIHRoZSBuYW1lICJycGNiaW5kIiBmb3IgdGhlCj4gIyBkYWVtb24gbmFtZS4g U2VlIHJwY2JpbmQoOCkgYW5kIHJwYy5tb3VudGQoOCkgZm9yIGZ1cnRoZXIgaW5mb3JtYXRpb24u Cj4gIwo+IAo+IEFMTDogQUxMCj4gcm9vdEBndXNsb2dzOi9ldGMvYXVkaXQjCj4gCj4gCj4gQmVz dCBSZWdhcmRzLAo+IFJpdHVyYWogQgo+IAo+IE9uIFR1ZSwgT2N0IDMsIDIwMTcgYXQgNjoxNCBQ TSwgU3RldmUgR3J1YmIgPHNncnViYkByZWRoYXQuY29tPiB3cm90ZToKPiA+IE9uIE1vbmRheSwg T2N0b2JlciAyLCAyMDE3IDExOjMxOjE1IFBNIEVEVCBSaXR1cmFqIEJ1ZGRoaXNhZ2FyIHdyb3Rl Ogo+ID4gPiBQCj4gPiA+IOKAi2xlYXNlIHNlZSBpbmxpbmUtCj4gPiA+IAo+ID4gPiByZWdhcmRz Cj4gPiA+IOKAiwo+ID4gPiAKPiA+ID4gT24gVHVlLCBPY3QgMywgMjAxNyBhdCAzOjI4IEFNLCBT dGV2ZSBHcnViYiA8c2dydWJiQHJlZGhhdC5jb20+IHdyb3RlOgo+ID4gPiA+IE9uIE1vbmRheSwg T2N0b2JlciAyLCAyMDE3IDI6NTU6NTEgUE0gRURUIFJpdHVyYWogQnVkZGhpc2FnYXIgd3JvdGU6 Cj4gPiA+ID4gPiBIaQo+ID4gPiA+ID4gCj4gPiA+ID4gPiBJIHRyaWVkIG15IGJlc3QgdG8gY29u ZmlndXJlIHRoZSBhdWRpc3AtcmVtb3RlLgo+ID4gPiA+ID4gSSBhbSBnZXR0aW5nIGJlbG93IGVy cm9yIG9uIHRoZSBjbGllbnQgbWFjaGluZSBpbiAvdmFyL2xvZy9zeXNsb2cuCj4gPiA+ID4gPiAK PiA+ID4gPiA+IE9jdCAgMiAxNDo0MToxNSB4eHh4eHggYXVkaXNwLXJlbW90ZTogRXJyb3IgY29u bmVjdGluZyB0bwo+ID4gCj4gPiAxOTIuMTY4LjEwMy43Ogo+ID4gPiA+ID4gQ29ubmVjdGlvbiBy ZWZ1c2VkCj4gPiA+ID4gCj4gPiA+ID4gT24gdGhlIHNlcnZlciwgd2hhdCBkbyB5b3UgZ2V0IGZv cjoKPiA+ID4gPiAKPiA+ID4gPiBhdXNlYXJjaCAtLXN0YXJ0IHJlY2VudCAtbSBEQUVNT05fQUND RVBUIC1pCj4gPiA+ID4gCj4gPiA+ID4gVGhlIHNlcnZlciBzaWRlIHJlY29yZHMgc29tZSBpbmZv cm1hdGlvbiBhYm91dCB3aHkgaXQgZGlkIG5vdCBhbGxvdyBhCj4gPiA+ID4gY29ubmVjdGlvbi4K PiA+ID4gCj4gPiA+IOKAi0kgZG9udCBzZWUgYW55IGluZm8gaW4gaGVyZS4KPiA+ID4gCj4gPiA+ ICMgYXVzZWFyY2ggLS1zdGFydCByZWNlbnQgLW0gREFFTU9OX0FDQ0VQVCAtaQo+ID4gPiA8bm8g bWF0Y2hlcz4KPiA+IAo+ID4gVGhlbiBpdHMgbm90IGNvbm5lY3RpbmcgYXQgYWxsLiBNYXliZSB5 b3VyIGZpcmV3YWxsIGlzIGJsb2NraW5nIGl0LiBNYXliZQo+ID4gc2VsaW51eCBpcyBibG9ja2lu ZyBpdD8gT25jZSBhdWRpdGQgc2VlcyBpdHMgc29ja2V0IGlzIHJlYWRhYmxlLCBpdCBjYWxscwo+ ID4gYWNjZXB0KDIpIGFuZCB0aGVyZSBpcyBubyBwYXRoIHRocm91Z2ggdGhlIGNvZGUgdGhhdCBk b2Vzbid0IGxvZyBhbiBldmVudAo+ID4gd2l0aAo+ID4gYSByZWFzb24uIEV2ZXJ5IHBvc3NpYmxl IGZhaWx1cmUgbG9ncyBhIGRpc3RpbmN0IHJlYXNvbiB3aHkgdGhlIGNvbm5lY3Rpb24KPiA+IGZh aWxlZC4KPiA+IAo+ID4gPiBJIHRyaWVkIHdpdGhvdXQgLS1zdGFydCAmIC1pIG9wdGlvbnMgYXMg d2VsbC4KPiA+IAo+ID4gLS1zdGFydCB0b2RheSBpZiB5b3UgZGlkbid0IGNvbm5lY3Qgd2l0aGlu IDEwIG1pbnV0ZXMgb2YgcnVubmluZyB0aGUKPiA+IGNvbW1hbmQuCj4gPiAKPiA+ID4gQnV0IHdo ZW4gSSBkbyBhIHRjcGR1bXAgb24gY2VudHJhbCBzZXJ2ZXIsIEkgZG8gc2VlIHJlcXVlc3RzIGNv bWluZyBpbi4KPiA+IAo+ID4gKEkKPiA+IAo+ID4gPiBjaGFuZ2VkIHBvcnQgdG8gNjApLgo+ID4g PiAjIHRjcGR1bXAgLWkgZXRoMSAnKCBwb3J0IDYwICknCj4gPiA+IDA4OjUzOjU2LjU5Nzk0NiBJ UCBndXNtMS42MCA+IDE5Mi4xNjguMTAzLjcuNjA6IEZsYWdzIFtTXSwgc2VxCj4gPiAKPiA+IDQw NzYyNjk0NTEsCj4gPiAKPiA+ID4gd2luIDI5MjAwLCBvcHRpb25zIFttc3MgMTQ2MCxzYWNrT0ss VFMgdmFsIDIwNzMxNiBlY3IgMCxub3Asd3NjYWxlIDddLAo+ID4gPiBsZW5ndGggMAo+ID4gPiAw ODo1Mzo1Ni41OTc5ODAgSVAgMTkyLjE2OC4xMDMuNy42MCA+IGd1c20xLjYwOiBGbGFncyBbUi5d LCBzZXEgMCwgYWNrCj4gPiA+IDQwNzYyNjk0NTIsIHdpbiAwLCBsZW5ndGggMAo+ID4gPiAwODo1 Mzo1Ni41OTg4NDMgSVAgZ3VzbTEuNjAgPiAxOTIuMTY4LjEwMy43LjYwOiBGbGFncyBbU10sIHNl cQo+ID4gCj4gPiA0MDc2Mjg3NDc0LAo+ID4gCj4gPiA+IHdpbiAyOTIwMCwgb3B0aW9ucyBbbXNz IDE0NjAsc2Fja09LLFRTIHZhbCAyMDczMTYgZWNyIDAsbm9wLHdzY2FsZSA3XSwKPiA+ID4gbGVu Z3RoIDAKPiA+ID4gMDg6NTM6NTYuNTk4ODU4IElQIDE5Mi4xNjguMTAzLjcuNjAgPiBndXNtMS42 MDogRmxhZ3MgW1IuXSwgc2VxIDAsIGFjawo+ID4gPiAxODAyNCwgd2luIDAsIGxlbmd0aCAwCj4g PiA+IDA4OjUzOjU2LjU5OTE2NCBJUCBndXNtMS42MCA+IDE5Mi4xNjguMTAzLjcuNjA6IEZsYWdz IFtTXSwgc2VxCj4gPiAKPiA+IDQwNzYzMDA2NTIsCj4gPiAKPiA+ID4gd2luIDI5MjAwLCBvcHRp b25zIFttc3MgMTQ2MCxzYWNrT0ssVFMgdmFsIDIwNzMxNiBlY3IgMCxub3Asd3NjYWxlIDddLAo+ ID4gPiBsZW5ndGggMAo+ID4gPiAwODo1Mzo1Ni41OTkxNzUgSVAgMTkyLjE2OC4xMDMuNy42MCA+ IGd1c20xLjYwOiBGbGFncyBbUi5dLCBzZXEgMCwgYWNrCj4gPiA+IDMxMjAyLCB3aW4gMCwgbGVu Z3RoIDAKPiA+ID4gMDg6NTM6NTYuNTk5NjU3IElQIGd1c20xLjYwID4gMTkyLjE2OC4xMDMuNy42 MDogRmxhZ3MgW1NdLCBzZXEKPiA+IAo+ID4gNDA3NjMwNjE1MSwKPiA+IAo+ID4gPiB3aW4gMjky MDAsIG9wdGlvbnMgW21zcyAxNDYwLHNhY2tPSyxUUyB2YWwgMjA3MzE2IGVjciAwLG5vcCx3c2Nh bGUgN10sCj4gPiA+IGxlbmd0aCAwCj4gPiA+IAo+ID4gPiBJIHRoaW5rIHRoZSBzZXJ2aWNlIGlz IG9ubHkgbGlzdGVuaW5nIGxvY2FsbHkgYW5kIG5vdCBmb3IgcmVtb3RlCj4gPiA+IGNvbm5lY3Rp b25zPwo+ID4gCj4gPiBJdCBvcGVucyBhIHNvY2tldCBvbiBhbGwgYWRkcmVzc2VzLgo+ID4gIyBu ZXRzdGF0IC10YW5wIHwgZ3JlcCBhdWRpdGQKPiA+IHRjcCAgICAgICAgMCAgICAgIDAgMC4wLjAu MDo2MCAgICAgICAgICAgICAgMC4wLjAuMDoqICAgICAgICAgICAgICAgTElTVEVOCj4gPiA4OTMv YXVkaXRkCj4gPiAKPiA+ID4gcm9vdEBsb2dzOi9ldGMvYXVkaXQjIGxzb2YgLWkgOjYwCj4gPiA+ IENPTU1BTkQgICAgUElEIFVTRVIgICBGRCAgIFRZUEUgREVWSUNFIFNJWkUvT0ZGIE5PREUgTkFN RQo+ID4gPiBhdWRpc3AtcmUgMTcxMyByb290ICAgIDN1ICBJUHY0ICAxNzQzMyAgICAgIDB0MCAg VENQIDE5Mi4xNjguMTAzLjc6NjAtPgo+ID4gPiAxOTIuMTY4LjEwMy43OjYwIChFU1RBQkxJU0hF RCkKPiA+ID4gCj4gPiA+IAo+ID4gPiBIb3cgZG8gSSBzZWUgdGhhdCBJIGFtIHVzaW5nIGxpYndy YXA/Cj4gPiAKPiA+IEl0IHNob3VsZCBoYXZlIGEgY29uZmlnIGxpbmUgaW4gYXVkaXRkLmNvbmYu IElmIHlvdSBkbyBub3QsIGl0IGRlZmF1bHRzIHRvCj4gPiB5ZXMuIFRoYXQgbWVhbnMgaXQgbG9v a3MgaW4gL2V0Yy9ob3N0cy5hbGxvdyBhbmQgaG9zdHMuZGVueSB0byBkZWNpZGUuCj4gPiBPZGRz Cj4gPiBhcmUgeW91IHB1dCBub3RoaW5nIHRoZXJlIGFuZCB0aGUgY29ubmVjdGlvbiBwcm9jZWVk cy4gSWYgSSB3ZXJlIHRvIGd1ZXNzLAo+ID4gSSdkCj4gPiBzYXkgaXB0YWJsZXMgaXMgYmxvY2tp bmcgeW91ciBjb25uZWN0aW9uLgo+ID4gCj4gPiA+IEkgaGF2ZSBlbmFibGVfa3JiNT1ubyBpbiB0 aGUKPiA+ID4gYXVkaXRkLmNvbmYgb24gdGhlIGFnZ3JlZ2F0aXZlIHNlcnZlci4KPiA+IAo+ID4g R29vZC4gQ2F1c2UgZG9pbmcgYSBrcmI1IGNvbm5lY3Rpb24gd2l0aG91dCBzZXR0aW5nIHRoYXQg dXAgd2lsbCBjYXVzZSBpdAo+ID4gdG8KPiA+IGZhaWwgYWxzby4gSSdkIGJldCBvbiBpcHRhYmxl cyBiZWluZyB0aGUgcHJvYmxlbS4KPiA+IAo+ID4gLVN0ZXZlCj4gPiAKPiA+ID4gPiA+IDE5Mi4x NjguMTAzLjcgaXMgdGhlIElQIGFkZHJlc3Mgb2YgdGhlIGNlbnRyYWwgbG9nIHNlcnZlci4KPiA+ ID4gPiA+IAo+ID4gPiA+ID4gTm90ZXM6IE15IHNldHRpbmdzIGFyZSBiZWxvdzoKPiA+ID4gPiA+ IAo+ID4gPiA+ID4gb24gc2VydmVyIGFzIHdlbGwgb24gY2xpZW50Ogo+ID4gPiA+ID4gL2V0Yy9h dWRpc3AvYXVkaXNwLXJlbW90ZQo+ID4gPiA+ID4gCj4gPiA+ID4gPiByZW1vdGVfc2VydmVyID0g MTkyLjE2OC4xMDMuNwo+ID4gPiA+ID4gcG9ydCA9IDY5OTkKPiA+ID4gPiA+IGxvY2FsX3BvcnQg PSA2OTk5Cj4gPiA+ID4gPiB0cmFuc3BvcnQgPSB0Y3AKPiA+ID4gPiA+IHF1ZXVlX2ZpbGUgPSAv dmFyL3Nwb29sL2F1ZGl0L3JlbW90ZS5sb2cKPiA+ID4gPiA+IG1vZGUgPSBpbW1lZGlhdGUKPiA+ ID4gPiA+IHF1ZXVlX2RlcHRoID0gMjA0OAo+ID4gPiA+ID4gZm9ybWF0ID0gYXNjaWkKPiA+ID4g PiA+IG5ldHdvcmtfcmV0cnlfdGltZSA9IDEwMAo+ID4gPiA+IAo+ID4gPiA+IFRoaXMgaXMgcHJv YmFibHkgbm90IHlvdXIgcHJvYmxlbSBidXQgbWFuYWdlZCBpcyB0aGUgbm9ybWFsIHNldHRpbmcK PiA+ID4gPiBmb3IKPiA+ID4gPiBmb3JtYXQuIEFuZCBkbyB5b3UgaGF2ZSBlbmFibGVfa3JiNSBz ZXQgdG8gbm8/Cj4gPiA+ID4gCj4gPiA+ID4gPiBJIGhhdmUgZW5hYmxlZCBuYW1lX2Zvcm1hdD1I T1NUTkFNRSBvbmx5IGluIG9uZSBwbGFjZSAoaW4KPiA+ID4gPiA+IC9ldGMvYXVkaXNwL2F1ZGlz cGQuY29uZiAtIGFuZCBub3QgaW4gL2V0Yy9hdWRpdC9hdWRpdGQuY29uZgo+ID4gPiA+ID4gCj4g PiA+ID4gPiBlbnRyaWVzIGluIGF1ZGl0ZC5jb25mOgo+ID4gPiA+ID4gCj4gPiA+ID4gPiBydGNw X2xpc3Rlbl9wb3J0ID0gNjk5OQo+ID4gPiA+ID4gdGNwX2xpc3Rlbl9xdWV1ZSA9IDUKPiA+ID4g PiA+IHRjcF9tYXhfcGVyX2FkZHIgPSAxMAo+ID4gPiA+ID4gdGNwX2NsaWVudF9wb3J0cyA9IDAt NjU1MzUKPiA+ID4gPiA+IHRjcF9jbGllbnRfbWF4X2lkbGUgPSAwCj4gPiA+ID4gCj4gPiA+ID4g V2hhdCBkbyB5b3UgaGF2ZSBmb3IgdXNlX2xpYndyYXAgYW5kIGVuYWJsZV9rcmI1Pwo+ID4gPiA+ IAo+ID4gPiA+IFRoZSBhdXNlYXJjbiBpbmZvIGZyb20gdGhlIGFnZ3JlZ2F0aW5nIHNlcnZlciBz aG91bGQgdGVsbCB0aGUgcmVhc29uCj4gPiAKPiA+IHdoeQo+ID4gCj4gPiA+ID4gdGhlCj4gPiA+ ID4gY29ubmVjdGlvbiBpcyByZWplY3RlZC4KPiA+ID4gPiAKPiA+ID4gPiAtU3RldmUKPiA+ID4g PiAKPiA+ID4gPiA+IEkgc2VlIHRoZSBzZXJ2ZXIgaXMgbGlzdGVuaW5nIG9uIHRoZSBwb3J0IDY5 OTkgYXMgYmVsb3cgYnV0IGl0cyBub3QKPiA+ID4gPiA+IGFjY2VwdGluZyBjbGllbnQgcmVxdWVz dC4KPiA+ID4gPiA+IHJvb3RAbG9nczovZXRjIyBsc29mIC1pIDo2OTk5Cj4gPiA+ID4gPiBDT01N QU5EICAgIFBJRCBVU0VSICAgRkQgICBUWVBFIERFVklDRSBTSVpFL09GRiBOT0RFIE5BTUUKPiA+ ID4gPiA+IGF1ZGlzcC1yZSA5MDkxIHJvb3QgICAgM3UgIElQdjQgIDMzNjcxICAgICAgMHQwICBU Q1AKPiA+IAo+ID4gMTkyLjE2OC4xMDMuNzo2OTk5Cj4gPiAKPiA+ID4gPiAtPgo+ID4gPiA+IAo+ ID4gPiA+ID4gMTkyLjE2OC4xMDMuNzo2OTk5IChFU1RBQkxJU0hFRCkKPiA+ID4gPiA+IAo+ID4g PiA+ID4gCj4gPiA+ID4gPiAKPiA+ID4gPiA+IEJlc3QgUmVnYXJkcywKPiA+ID4gPiA+IFJpdHVy YWogQgoKCgotLQpMaW51eC1hdWRpdCBtYWlsaW5nIGxpc3QKTGludXgtYXVkaXRAcmVkaGF0LmNv bQpodHRwczovL3d3dy5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgtYXVkaXQ= From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Wed, 4 Oct 2017 00:10:02 +0530 Message-ID: References: <4285053.hh7HfXqAiY@x2> <5167956.shIrRISz9z@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2279385246147624940==" Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E771560BE1 for ; Tue, 3 Oct 2017 18:40:06 +0000 (UTC) Received: from mail-qt0-f170.google.com (mail-qt0-f170.google.com [209.85.216.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A89FDC2D0D4A for ; Tue, 3 Oct 2017 18:40:03 +0000 (UTC) Received: by mail-qt0-f170.google.com with SMTP id 6so5681814qtw.3 for ; Tue, 03 Oct 2017 11:40:03 -0700 (PDT) In-Reply-To: <5167956.shIrRISz9z@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2279385246147624940== Content-Type: multipart/alternative; boundary="001a1144b42eb311da055aa8d1ab" --001a1144b42eb311da055aa8d1ab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Steve / Audit List ; I have this issue because Ubuntu has disabled support for listener in their distribution !! On a blog I found that Debian has not disabled it but the Ubuntu distribution has. I found this when I ran auditd in foreground with -f option. Listener support is not enabled, ignoring value at line 25 tcp_listen_queue_parser called with: 5 Listener support is not enabled, ignoring value at line 26 tcp_max_per_addr_parser called with: 1 Listener support is not enabled, ignoring value at line 27 tcp_listen_queue_parser called with: 1024-65535 Listener support is not enabled, ignoring value at line 28 tcp_client_max_idle_parser called with: 0 Steve, I then went to source site ( https://people.redhat.com/sgrubb/audit/ ) and downloaded a zip from there. I am doing a install using below config command : it fails with python-packages dependency. ./configure --prefix=3D/usr/local --sbindir=3D/usr/local/sbin --with-python= =3Dyes --with-libwrap --enable-gssapi-krb5=3Dyes --with-libcap-ng=3Dyes ............ ............. ............. checking for python platform... linux2 checking for python script directory... ${prefix}/lib/python2.7/dist-packages checking for python extension module directory... ${exec_prefix}/lib/python2.7/dist-packages configure: error: Python explicitly requested and python headers were not found root@guslogs:/usr/src/audit-2.7.8# Please can you tell me which dependent packages I need to download and configure apart from python? (with a source link would help). I see on the site that you have included - "Improved Remote Logging" in the Roadmap :) Appreciate it and anticipating it ! In the meanwhile I am also thinking of requesting Ubuntu for adding this support - not sure why they did this, what is their logic behind this. I hereby request if you can do something from your end to discuss with Ubuntu maintenars to enable this - as there is a HUGE Linux support base out there using that distro. Thanks! Best Regards, Rituraj B On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb wrote: > On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: > > Hi Steve, > > > > I did check IPtables and I am not having any rules in there. I have > allowed > > the connections in /etc/hosts.allow. But then I do not see auditd > listening > > on port 60. > > It just shows "ESSTABLISHED" connection on the aggregating server - whi= ch > > is itself! > > You should not enable audisp-remote on the aggregating server. Auditd > handles > incoming connections itself. > > -Steve > > > root@guslogs:/etc/audit# lsof -i :60 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-> > > 192.168.103.7:60 (ESTABLISHED) > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# netstat -pan | grep 60 > > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN > > 1260/sshd > > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 > > ESTABLISHED 2146/audisp-remote > > tcp6 0 0 :::22 :::* > LISTEN > > 1260/sshd > > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 > > /tmp/ssh-h0brbTMA4a/agent.1925 > > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd > > > > unix 2 [ ] DGRAM 17760 1897/systemd > > > > unix 3 [ ] STREAM CONNECTED 16036 1897/systemd > > > > unix 2 [ ] DGRAM 20360 2136/auditd > > > > unix 3 [ ] STREAM CONNECTED 13260 1/init > > /run/systemd/journal/stdout > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# netstat -tanp | grep auditd > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > root@guslogs:/etc/audit# > > root@guslogs:/etc/audit# cat /etc/hosts.allow > > # /etc/hosts.allow: list of hosts that are allowed to access the system= . > > # See the manual pages hosts_access(5) and > > hosts_options(5). > > # > > # Example: ALL: LOCAL @some_netgroup > > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu > > # > > # If you're going to protect the portmapper use the name "rpcbind" for > the > > # daemon name. See rpcbind(8) and rpc.mountd(8) for further information= . > > # > > > > ALL: ALL > > root@guslogs:/etc/audit# > > > > > > Best Regards, > > Rituraj B > > > > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb wrote: > > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote: > > > > P > > > > =E2=80=8Blease see inline- > > > > > > > > regards > > > > =E2=80=8B > > > > > > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb > wrote: > > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar > wrote: > > > > > > Hi > > > > > > > > > > > > I tried my best to configure the audisp-remote. > > > > > > I am getting below error on the client machine in > /var/log/syslog. > > > > > > > > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to > > > > > > 192.168.103.7: > > > > > > Connection refused > > > > > > > > > > On the server, what do you get for: > > > > > > > > > > ausearch --start recent -m DAEMON_ACCEPT -i > > > > > > > > > > The server side records some information about why it did not > allow a > > > > > connection. > > > > > > > > =E2=80=8BI dont see any info in here. > > > > > > > > # ausearch --start recent -m DAEMON_ACCEPT -i > > > > > > > > > > Then its not connecting at all. Maybe your firewall is blocking it. > Maybe > > > selinux is blocking it? Once auditd sees its socket is readable, it > calls > > > accept(2) and there is no path through the code that doesn't log an > event > > > with > > > a reason. Every possible failure logs a distinct reason why the > connection > > > failed. > > > > > > > I tried without --start & -i options as well. > > > > > > --start today if you didn't connect within 10 minutes of running the > > > command. > > > > > > > But when I do a tcpdump on central server, I do see requests coming > in. > > > > > > (I > > > > > > > changed port to 60). > > > > # tcpdump -i eth1 '( port 60 )' > > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076269451, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 4076269452, win 0, length 0 > > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076287474, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 18024, win 0, length 0 > > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076300652, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, > ack > > > > 31202, win 0, length 0 > > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq > > > > > > 4076306151, > > > > > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale > 7], > > > > length 0 > > > > > > > > I think the service is only listening locally and not for remote > > > > connections? > > > > > > It opens a socket on all addresses. > > > # netstat -tanp | grep auditd > > > tcp 0 0 0.0.0.0:60 0.0.0.0:* > LISTEN > > > 893/auditd > > > > > > > root@logs:/etc/audit# lsof -i :60 > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP 192.168.103.7:= 60 > -> > > > > 192.168.103.7:60 (ESTABLISHED) > > > > > > > > > > > > How do I see that I am using libwrap? > > > > > > It should have a config line in auditd.conf. If you do not, it > defaults to > > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide= . > > > Odds > > > are you put nothing there and the connection proceeds. If I were to > guess, > > > I'd > > > say iptables is blocking your connection. > > > > > > > I have enable_krb5=3Dno in the > > > > auditd.conf on the aggregative server. > > > > > > Good. Cause doing a krb5 connection without setting that up will caus= e > it > > > to > > > fail also. I'd bet on iptables being the problem. > > > > > > -Steve > > > > > > > > > 192.168.103.7 is the IP address of the central log server. > > > > > > > > > > > > Notes: My settings are below: > > > > > > > > > > > > on server as well on client: > > > > > > /etc/audisp/audisp-remote > > > > > > > > > > > > remote_server =3D 192.168.103.7 > > > > > > port =3D 6999 > > > > > > local_port =3D 6999 > > > > > > transport =3D tcp > > > > > > queue_file =3D /var/spool/audit/remote.log > > > > > > mode =3D immediate > > > > > > queue_depth =3D 2048 > > > > > > format =3D ascii > > > > > > network_retry_time =3D 100 > > > > > > > > > > This is probably not your problem but managed is the normal setti= ng > > > > > for > > > > > format. And do you have enable_krb5 set to no? > > > > > > > > > > > I have enabled name_format=3DHOSTNAME only in one place (in > > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf > > > > > > > > > > > > entries in auditd.conf: > > > > > > > > > > > > rtcp_listen_port =3D 6999 > > > > > > tcp_listen_queue =3D 5 > > > > > > tcp_max_per_addr =3D 10 > > > > > > tcp_client_ports =3D 0-65535 > > > > > > tcp_client_max_idle =3D 0 > > > > > > > > > > What do you have for use_libwrap and enable_krb5? > > > > > > > > > > The ausearcn info from the aggregating server should tell the > reason > > > > > > why > > > > > > > > the > > > > > connection is rejected. > > > > > > > > > > -Steve > > > > > > > > > > > I see the server is listening on the port 6999 as below but its > not > > > > > > accepting client request. > > > > > > root@logs:/etc# lsof -i :6999 > > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP > > > > > > 192.168.103.7:6999 > > > > > > > > -> > > > > > > > > > > > 192.168.103.7:6999 (ESTABLISHED) > > > > > > > > > > > > > > > > > > > > > > > > Best Regards, > > > > > > Rituraj B > > > --001a1144b42eb311da055aa8d1ab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Steve / Audit List ;

I= have this issue because Ubuntu has disabled support for listener in their = distribution !!=C2=A0

On a blog I found that Debian has not disabled it b= ut the Ubuntu distribution has.

I found this when I ran auditd in foregro= und with -f option.

Listener support is not = enabled, ignoring value at line 25
tcp_li= sten_queue_parser called with: 5
Listener= support is not enabled, ignoring value at line 26
tcp_max_per_addr_parser called with: 1
Listener support is not enabled, ignoring value at line 27
tcp_listen_queue_parser called with: 1024-65535
Listener support is not enabled, ignoring = value at line 28
tcp_client_max_idle_pars= er called with: 0

=
Steve, I then went to source site = ( https://people.redhat= .com/sgrubb/audit/ ) and downloaded a zip from there.

I am doing a = install using below config command : it fails with python-packages dependen= cy.=C2=A0
./configure --prefix=3D/usr/local --sbindir=3D/usr/lo= cal/sbin --with-python=3Dyes --with-libwrap --enable-gssapi-krb5=3Dyes --wi= th-libcap-ng=3Dyes
............
.= ............
.............

checking for python platform... = linux2
checking for python script directo= ry... ${prefix}/lib/python2.7/dist-packages
checking for python extension module directory... ${exec_prefix}/lib/pyt= hon2.7/dist-packages
configure: error: Py= thon explicitly requested and python headers were not found
root@guslogs:/usr/src/audit-2.7.8#=C2=A0

<= /div>

Please can you tell me which dependent packages I = need to download and configure apart from python? (with a source link would= help).


I see on the site that you = have included - "Improved Remote Logging" in the Roadmap :) Appre= ciate it and anticipating it !

In the meanwhile I = am also thinking of requesting Ubuntu for adding this support - not sure wh= y they did this, what is their logic behind this. I hereby request if you c= an do something from your end to discuss with Ubuntu maintenars to enable t= his - as there is a HUGE Linux support base out there using that distro.=C2= =A0

Thanks!





Best Regards,
= Rituraj B


On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb = <sgrubb@redhat.com> wrote:
On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhi= sagar wrote:
> Hi Steve,
>
> I did check IPtables and I am not having any rules in there. I have al= lowed
> the connections in /etc/hosts.allow. But then I do not see auditd list= ening
> on port 60.
> It just shows "ESSTABLISHED" connection on the aggregating s= erver - which
> is itself!

You should not enable audisp-remote on the aggregating server. Audit= d handles
incoming connections itself.

-Steve

> root@guslogs:/etc/audit# lsof -i :60
> COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYPE DEVICE S= IZE/OFF NODE NAME
> audisp-re 2146 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 20368=C2=A0 =C2= =A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -pan | grep 60
> tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:22=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN
>=C2=A0 =C2=A0 =C2=A0 1260/sshd
> tcp=C2=A0 =C2=A0 10491=C2=A0 =C2=A01360 192.168.103.7:60=C2=A0 =C2= =A0 =C2=A0 =C2=A0 192.168.103.7:60
>=C2=A0 ESTABLISHED 2146/audisp-remote
> tcp6=C2=A0 =C2=A0 =C2=A0 =C2=A00=C2=A0 =C2=A0 =C2=A0 0 :::22=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:::*=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 LISTEN
>=C2=A0 =C2=A0 =C2=A0 1260/sshd
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ACC ]=C2=A0 =C2=A0 =C2=A0STREAM=C2= =A0 =C2=A0 =C2=A0LISTENING=C2=A0 =C2=A0 =C2=A016055=C2=A0 =C2=A0 1925/0
>=C2=A0 =C2=A0 /tmp/ssh-h0brbTMA4a/agent.1925
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A013777=C2=A0 =C2=A0 1= 260/sshd
>
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= DGRAM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 17760=C2=A0 =C2=A0 1897/systemd
>
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A016036=C2=A0 =C2=A0 1= 897/systemd
>
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= DGRAM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 20360=C2=A0 =C2=A0 2136/auditd
>
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A013260=C2=A0 =C2=A0 1= /init
>=C2=A0 =C2=A0 /run/systemd/journal/stdout
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -tanp | grep auditd
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# iptables -L
> Chain INPUT (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
>
> Chain FORWARD (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
>
> Chain OUTPUT (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# cat /etc/hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the syste= m.
> #=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:=C2=A0 =C2=A0 ALL: LOCAL @some_netgroup
> #=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ALL: .foobar.edu EXCEPT <= a href=3D"http://terminalserver.foobar.edu" rel=3D"noreferrer" target=3D"_b= lank">terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpc= bind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further informatio= n.
> #
>
> ALL: ALL
> root@guslogs:/etc/audit#
>
>
> Best Regards,
> Rituraj B
>
> On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wr= ote:
> > > P
> > > =E2=80=8Blease see inline-
> > >
> > > regards
> > > =E2=80=8B
> > >
> > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddh= isagar wrote:
> > > > > Hi
> > > > >
> > > > > I tried my best to configure the audisp-remote. > > > > > I am getting below error on the client machine in = /var/log/syslog.
> > > > >
> > > > > Oct=C2=A0 2 14:41:15 xxxxxx audisp-remote: Error c= onnecting to
> >
> > 192.168.103.7:
> > > > > Connection refused
> > > >
> > > > On the server, what do you get for:
> > > >
> > > > ausearch --start recent -m DAEMON_ACCEPT -i
> > > >
> > > > The server side records some information about why it d= id not allow a
> > > > connection.
> > >
> > > =E2=80=8BI dont see any info in here.
> > >
> > > # ausearch --start recent -m DAEMON_ACCEPT -i
> > > <no matches>
> >
> > Then its not connecting at all. Maybe your firewall is blocking i= t. Maybe
> > selinux is blocking it? Once auditd sees its socket is readable, = it calls
> > accept(2) and there is no path through the code that doesn't = log an event
> > with
> > a reason. Every possible failure logs a distinct reason why the c= onnection
> > failed.
> >
> > > I tried without --start & -i options as well.
> >
> > --start today if you didn't connect within 10 minutes of runn= ing the
> > command.
> >
> > > But when I do a tcpdump on central server, I do see requests= coming in.
> >
> > (I
> >
> > > changed port to 60).
> > > # tcpdump -i eth1 '( port 60 )'
> > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076269451,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 4076269452, win 0, length 0
> > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076287474,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 18024, win 0, length 0
> > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076300652,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 31202, win 0, length 0
> > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076306151,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > >
> > > I think the service is only listening locally and not for re= mote
> > > connections?
> >
> > It opens a socket on all addresses.
> > # netstat -tanp | grep auditd
> > tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:60=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN
> > 893/auditd
> >
> > > root@logs:/etc/audit# lsof -i :60
> > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYP= E DEVICE SIZE/OFF NODE NAME
> > > audisp-re 1713 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 17433= =C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> > > 192.168.103.7:60 (ESTABLISHED)
> > >
> > >
> > > How do I see that I am using libwrap?
> >
> > It should have a config line in auditd.conf. If you do not, it de= faults to
> > yes. That means it looks in /etc/hosts.allow and hosts.deny to de= cide.
> > Odds
> > are you put nothing there and the connection proceeds. If I were = to guess,
> > I'd
> > say iptables is blocking your connection.
> >
> > > I have enable_krb5=3Dno in the
> > > auditd.conf on the aggregative server.
> >
> > Good. Cause doing a krb5 connection without setting that up will = cause it
> > to
> > fail also. I'd bet on iptables being the problem.
> >
> > -Steve
> >
> > > > > 192.168.103.7 is the IP address of the central log= server.
> > > > >
> > > > > Notes: My settings are below:
> > > > >
> > > > > on server as well on client:
> > > > > /etc/audisp/audisp-remote
> > > > >
> > > > > remote_server =3D 192.168.103.7
> > > > > port =3D 6999
> > > > > local_port =3D 6999
> > > > > transport =3D tcp
> > > > > queue_file =3D /var/spool/audit/remote.log
> > > > > mode =3D immediate
> > > > > queue_depth =3D 2048
> > > > > format =3D ascii
> > > > > network_retry_time =3D 100
> > > >
> > > > This is probably not your problem but managed is the no= rmal setting
> > > > for
> > > > format. And do you have enable_krb5 set to no?
> > > >
> > > > > I have enabled name_format=3DHOSTNAME only in one = place (in
> > > > > /etc/audisp/audispd.conf - and not in /etc/audit/a= uditd.conf
> > > > >
> > > > > entries in auditd.conf:
> > > > >
> > > > > rtcp_listen_port =3D 6999
> > > > > tcp_listen_queue =3D 5
> > > > > tcp_max_per_addr =3D 10
> > > > > tcp_client_ports =3D 0-65535
> > > > > tcp_client_max_idle =3D 0
> > > >
> > > > What do you have for use_libwrap and enable_krb5?
> > > >
> > > > The ausearcn info from the aggregating server should te= ll the reason
> >
> > why
> >
> > > > the
> > > > connection is rejected.
> > > >
> > > > -Steve
> > > >
> > > > > I see the server is listening on the port 6999 as = below but its not
> > > > > accepting client request.
> > > > > root@logs:/etc# lsof -i :6999
> > > > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0= =C2=A0TYPE DEVICE SIZE/OFF NODE NAME
> > > > > audisp-re 9091 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2= =A0 33671=C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP
> >
> > 192.168.103.7:6999
> >
> > > > ->
> > > >
> > > > > 192.168.103.7:6999 (ESTABLISHED)
> > > > >
> > > > >
> > > > >
> > > > > Best Regards,
> > > > > Rituraj B



--001a1144b42eb311da055aa8d1ab-- --===============2279385246147624940== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2279385246147624940==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Wed, 4 Oct 2017 00:38:14 +0530 Message-ID: References: <4285053.hh7HfXqAiY@x2> <5167956.shIrRISz9z@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0244827110126639208==" Return-path: Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com [10.5.110.27]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6B94C60475 for ; Tue, 3 Oct 2017 19:08:18 +0000 (UTC) Received: from mail-qk0-f181.google.com (mail-qk0-f181.google.com [209.85.220.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 351DD7E451 for ; Tue, 3 Oct 2017 19:08:16 +0000 (UTC) Received: by mail-qk0-f181.google.com with SMTP id n5so7026969qke.11 for ; Tue, 03 Oct 2017 12:08:16 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0244827110126639208== Content-Type: multipart/alternative; boundary="001a113e9164966751055aa9368c" --001a113e9164966751055aa9368c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sorry if this seems like a spamming, but after I sent the earlier mail - I did install from source successfully with only --prefix=3D/usr/local I am now facing issue like the below: root@guslogs:/etc/init.d# /usr/local/sbin/auditd /usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd: undefined symbol: auparse_destroy_ext If someone can point me to a clean and easy install with dependencies from source it would help. Steve, please see my previous mail regarding Ubuntu. Thanks a lot for help! Best Regards, Rituraj B On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Buddhisagar wrote: > Hi Steve / Audit List ; > > I have this issue because Ubuntu has disabled support for listener in > their distribution !! > > On a blog I found that Debian has not disabled it but the Ubuntu > distribution has. > > I found this when I ran auditd in foreground with -f option. > > Listener support is not enabled, ignoring value at line 25 > tcp_listen_queue_parser called with: 5 > Listener support is not enabled, ignoring value at line 26 > tcp_max_per_addr_parser called with: 1 > Listener support is not enabled, ignoring value at line 27 > tcp_listen_queue_parser called with: 1024-65535 > Listener support is not enabled, ignoring value at line 28 > tcp_client_max_idle_parser called with: 0 > > > Steve, I then went to source site ( https://people.redhat.com/ > sgrubb/audit/ ) and downloaded a zip from there. > > I am doing a install using below config command : it fails with > python-packages dependency. > ./configure --prefix=3D/usr/local --sbindir=3D/usr/local/sbin > --with-python=3Dyes --with-libwrap --enable-gssapi-krb5=3Dyes > --with-libcap-ng=3Dyes > ............ > ............. > ............. > > checking for python platform... linux2 > checking for python script directory... ${prefix}/lib/python2.7/dist- > packages > checking for python extension module directory... > ${exec_prefix}/lib/python2.7/dist-packages > configure: error: Python explicitly requested and python headers were not > found > root@guslogs:/usr/src/audit-2.7.8# > > > Please can you tell me which dependent packages I need to download and > configure apart from python? (with a source link would help). > > > I see on the site that you have included - "Improved Remote Logging" in > the Roadmap :) Appreciate it and anticipating it ! > > In the meanwhile I am also thinking of requesting Ubuntu for adding this > support - not sure why they did this, what is their logic behind this. I > hereby request if you can do something from your end to discuss with Ubun= tu > maintenars to enable this - as there is a HUGE Linux support base out the= re > using that distro. > > Thanks! > > > > > > > Best Regards, > Rituraj B > > > On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb wrote: > >> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: >> > Hi Steve, >> > >> > I did check IPtables and I am not having any rules in there. I have >> allowed >> > the connections in /etc/hosts.allow. But then I do not see auditd >> listening >> > on port 60. >> > It just shows "ESSTABLISHED" connection on the aggregating server - >> which >> > is itself! >> >> You should not enable audisp-remote on the aggregating server. Auditd >> handles >> incoming connections itself. >> >> -Steve >> >> > root@guslogs:/etc/audit# lsof -i :60 >> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60-= > >> > 192.168.103.7:60 (ESTABLISHED) >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# netstat -pan | grep 60 >> > tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN >> > 1260/sshd >> > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 >> > ESTABLISHED 2146/audisp-remote >> > tcp6 0 0 :::22 :::* >> LISTEN >> > 1260/sshd >> > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 >> > /tmp/ssh-h0brbTMA4a/agent.1925 >> > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd >> > >> > unix 2 [ ] DGRAM 17760 1897/system= d >> > >> > unix 3 [ ] STREAM CONNECTED 16036 1897/system= d >> > >> > unix 2 [ ] DGRAM 20360 2136/auditd >> > >> > unix 3 [ ] STREAM CONNECTED 13260 1/init >> > /run/systemd/journal/stdout >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# netstat -tanp | grep auditd >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# iptables -L >> > Chain INPUT (policy ACCEPT) >> > target prot opt source destination >> > >> > Chain FORWARD (policy ACCEPT) >> > target prot opt source destination >> > >> > Chain OUTPUT (policy ACCEPT) >> > target prot opt source destination >> > root@guslogs:/etc/audit# >> > root@guslogs:/etc/audit# cat /etc/hosts.allow >> > # /etc/hosts.allow: list of hosts that are allowed to access the syste= m. >> > # See the manual pages hosts_access(5) and >> > hosts_options(5). >> > # >> > # Example: ALL: LOCAL @some_netgroup >> > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu >> > # >> > # If you're going to protect the portmapper use the name "rpcbind" for >> the >> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further informatio= n. >> > # >> > >> > ALL: ALL >> > root@guslogs:/etc/audit# >> > >> > >> > Best Regards, >> > Rituraj B >> > >> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb wrote: >> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote= : >> > > > P >> > > > =E2=80=8Blease see inline- >> > > > >> > > > regards >> > > > =E2=80=8B >> > > > >> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb >> wrote: >> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar >> wrote: >> > > > > > Hi >> > > > > > >> > > > > > I tried my best to configure the audisp-remote. >> > > > > > I am getting below error on the client machine in >> /var/log/syslog. >> > > > > > >> > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to >> > > >> > > 192.168.103.7: >> > > > > > Connection refused >> > > > > >> > > > > On the server, what do you get for: >> > > > > >> > > > > ausearch --start recent -m DAEMON_ACCEPT -i >> > > > > >> > > > > The server side records some information about why it did not >> allow a >> > > > > connection. >> > > > >> > > > =E2=80=8BI dont see any info in here. >> > > > >> > > > # ausearch --start recent -m DAEMON_ACCEPT -i >> > > > >> > > >> > > Then its not connecting at all. Maybe your firewall is blocking it. >> Maybe >> > > selinux is blocking it? Once auditd sees its socket is readable, it >> calls >> > > accept(2) and there is no path through the code that doesn't log an >> event >> > > with >> > > a reason. Every possible failure logs a distinct reason why the >> connection >> > > failed. >> > > >> > > > I tried without --start & -i options as well. >> > > >> > > --start today if you didn't connect within 10 minutes of running the >> > > command. >> > > >> > > > But when I do a tcpdump on central server, I do see requests comin= g >> in. >> > > >> > > (I >> > > >> > > > changed port to 60). >> > > > # tcpdump -i eth1 '( port 60 )' >> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076269451, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >> ack >> > > > 4076269452, win 0, length 0 >> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076287474, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >> ack >> > > > 18024, win 0, length 0 >> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076300652, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, >> ack >> > > > 31202, win 0, length 0 >> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >> > > >> > > 4076306151, >> > > >> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale >> 7], >> > > > length 0 >> > > > >> > > > I think the service is only listening locally and not for remote >> > > > connections? >> > > >> > > It opens a socket on all addresses. >> > > # netstat -tanp | grep auditd >> > > tcp 0 0 0.0.0.0:60 0.0.0.0:* >> LISTEN >> > > 893/auditd >> > > >> > > > root@logs:/etc/audit# lsof -i :60 >> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP >> 192.168.103.7:60-> >> > > > 192.168.103.7:60 (ESTABLISHED) >> > > > >> > > > >> > > > How do I see that I am using libwrap? >> > > >> > > It should have a config line in auditd.conf. If you do not, it >> defaults to >> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to decid= e. >> > > Odds >> > > are you put nothing there and the connection proceeds. If I were to >> guess, >> > > I'd >> > > say iptables is blocking your connection. >> > > >> > > > I have enable_krb5=3Dno in the >> > > > auditd.conf on the aggregative server. >> > > >> > > Good. Cause doing a krb5 connection without setting that up will >> cause it >> > > to >> > > fail also. I'd bet on iptables being the problem. >> > > >> > > -Steve >> > > >> > > > > > 192.168.103.7 is the IP address of the central log server. >> > > > > > >> > > > > > Notes: My settings are below: >> > > > > > >> > > > > > on server as well on client: >> > > > > > /etc/audisp/audisp-remote >> > > > > > >> > > > > > remote_server =3D 192.168.103.7 >> > > > > > port =3D 6999 >> > > > > > local_port =3D 6999 >> > > > > > transport =3D tcp >> > > > > > queue_file =3D /var/spool/audit/remote.log >> > > > > > mode =3D immediate >> > > > > > queue_depth =3D 2048 >> > > > > > format =3D ascii >> > > > > > network_retry_time =3D 100 >> > > > > >> > > > > This is probably not your problem but managed is the normal >> setting >> > > > > for >> > > > > format. And do you have enable_krb5 set to no? >> > > > > >> > > > > > I have enabled name_format=3DHOSTNAME only in one place (in >> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf >> > > > > > >> > > > > > entries in auditd.conf: >> > > > > > >> > > > > > rtcp_listen_port =3D 6999 >> > > > > > tcp_listen_queue =3D 5 >> > > > > > tcp_max_per_addr =3D 10 >> > > > > > tcp_client_ports =3D 0-65535 >> > > > > > tcp_client_max_idle =3D 0 >> > > > > >> > > > > What do you have for use_libwrap and enable_krb5? >> > > > > >> > > > > The ausearcn info from the aggregating server should tell the >> reason >> > > >> > > why >> > > >> > > > > the >> > > > > connection is rejected. >> > > > > >> > > > > -Steve >> > > > > >> > > > > > I see the server is listening on the port 6999 as below but it= s >> not >> > > > > > accepting client request. >> > > > > > root@logs:/etc# lsof -i :6999 >> > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP >> > > >> > > 192.168.103.7:6999 >> > > >> > > > > -> >> > > > > >> > > > > > 192.168.103.7:6999 (ESTABLISHED) >> > > > > > >> > > > > > >> > > > > > >> > > > > > Best Regards, >> > > > > > Rituraj B >> >> >> > --001a113e9164966751055aa9368c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Sorry if this seems like a = spamming, but after I sent the earlier mail - I did install from source suc= cessfully with only --prefix=3D/usr/local=C2=A0

I am now facing issue lik= e the below:

r= oot@guslogs:/etc/init.d# /usr/local/sbin/auditd=C2=A0
/= usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd: undefin= ed symbol: auparse_destroy_ext

If someone can point me to a clean and eas= y install with dependencies from source it would help.=C2=A0

Steve, pleas= e see my previous mail regarding Ubuntu. Thanks a lot for help!




On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Bud= dhisagar <rituraj@vayana.com> wrote:
Hi Steve / Audit List ;
<= br>
I have this issue because Ubuntu has disabled support for l= istener in their distribution !!=C2=A0

On a bl= og I found that Debian has not disabled it but the Ubuntu distribution has.=

I found this when I ran auditd in foreground = with -f option.

Listener support is not e= nabled, ignoring value at line 25
tcp_listen_queue_parser called = with: 5
Listener support is not enabled, ignoring value at line 2= 6
tcp_max_per_addr_parser called with: 1
Listener suppo= rt is not enabled, ignoring value at line 27
tcp_listen_queue_par= ser called with: 1024-65535
Listener support is not enabled, igno= ring value at line 28
tcp_client_max_idle_parser called with: 0


Steve, I then went to sour= ce site ( https://people.redhat.com/sgrubb/audit/ ) and downloaded a zi= p from there.

I am doing a install using below= config command : it fails with python-packages dependency.=C2=A0
./configure --prefix= =3D/usr/local --sbindir=3D/usr/local/sbin --with-python=3Dyes --with-libwra= p --enable-gssapi-krb5=3Dyes --with-libcap-ng=3Dyes
............
.............
.......= ......


<= table cellpadding=3D"0" cellspacing=3D"0" border=3D"0" style=3D"background:= none;border-collapse:collapse;color:rgb(85,85,85);font-family:proxima-nova,= "Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px;border= :0px;margin:0px;padding:0px">
Best Regards,
Rituraj= B
Best Regards,
Rituraj B


On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb = <sgrubb@redhat.com> wrote:
On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote= :
> Hi Steve,
>
> I did check IPtables and I am not having any rules in there. I have al= lowed
> the connections in /etc/hosts.allow. But then I do not see auditd list= ening
> on port 60.
> It just shows "ESSTABLISHED" connection on the aggregating s= erver - which
> is itself!

You should not enable audisp-remote on the aggregating server. Audit= d handles
incoming connections itself.

-Steve

> root@guslogs:/etc/audit# lsof -i :60
> COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYPE DEVICE S= IZE/OFF NODE NAME
> audisp-re 2146 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 20368=C2=A0 =C2= =A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -pan | grep 60
> tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:22=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN
>=C2=A0 =C2=A0 =C2=A0 1260/sshd
> tcp=C2=A0 =C2=A0 10491=C2=A0 =C2=A01360 192.168.103.7:60=C2=A0 =C2= =A0 =C2=A0 =C2=A0 192.168.103.7:60
>=C2=A0 ESTABLISHED 2146/audisp-remote
> tcp6=C2=A0 =C2=A0 =C2=A0 =C2=A00=C2=A0 =C2=A0 =C2=A0 0 :::22=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:::*=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 LISTEN
>=C2=A0 =C2=A0 =C2=A0 1260/sshd
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ACC ]=C2=A0 =C2=A0 =C2=A0STREAM=C2= =A0 =C2=A0 =C2=A0LISTENING=C2=A0 =C2=A0 =C2=A016055=C2=A0 =C2=A0 1925/0
>=C2=A0 =C2=A0 /tmp/ssh-h0brbTMA4a/agent.1925
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A013777=C2=A0 =C2=A0 1= 260/sshd
>
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= DGRAM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 17760=C2=A0 =C2=A0 1897/systemd
>
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A016036=C2=A0 =C2=A0 1= 897/systemd
>
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= DGRAM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 20360=C2=A0 =C2=A0 2136/auditd
>
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A013260=C2=A0 =C2=A0 1= /init
>=C2=A0 =C2=A0 /run/systemd/journal/stdout
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -tanp | grep auditd
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# iptables -L
> Chain INPUT (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
>
> Chain FORWARD (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
>
> Chain OUTPUT (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# cat /etc/hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the syste= m.
> #=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:=C2=A0 =C2=A0 ALL: LOCAL @some_netgroup
> #=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ALL: .foobar.edu EXCEPT <= a href=3D"http://terminalserver.foobar.edu" rel=3D"noreferrer" target=3D"_b= lank">terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpc= bind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further informatio= n.
> #
>
> ALL: ALL
> root@guslogs:/etc/audit#
>
>
> Best Regards,
> Rituraj B
>
> On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wr= ote:
> > > P
> > > =E2=80=8Blease see inline-
> > >
> > > regards
> > > =E2=80=8B
> > >
> > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:=
> > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddh= isagar wrote:
> > > > > Hi
> > > > >
> > > > > I tried my best to configure the audisp-remote. > > > > > I am getting below error on the client machine in = /var/log/syslog.
> > > > >
> > > > > Oct=C2=A0 2 14:41:15 xxxxxx audisp-remote: Error c= onnecting to
> >
> > 192.168.103.7:
> > > > > Connection refused
> > > >
> > > > On the server, what do you get for:
> > > >
> > > > ausearch --start recent -m DAEMON_ACCEPT -i
> > > >
> > > > The server side records some information about why it d= id not allow a
> > > > connection.
> > >
> > > =E2=80=8BI dont see any info in here.
> > >
> > > # ausearch --start recent -m DAEMON_ACCEPT -i
> > > <no matches>
> >
> > Then its not connecting at all. Maybe your firewall is blocking i= t. Maybe
> > selinux is blocking it? Once auditd sees its socket is readable, = it calls
> > accept(2) and there is no path through the code that doesn't = log an event
> > with
> > a reason. Every possible failure logs a distinct reason why the c= onnection
> > failed.
> >
> > > I tried without --start & -i options as well.
> >
> > --start today if you didn't connect within 10 minutes of runn= ing the
> > command.
> >
> > > But when I do a tcpdump on central server, I do see requests= coming in.
> >
> > (I
> >
> > > changed port to 60).
> > > # tcpdump -i eth1 '( port 60 )'
> > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076269451,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 4076269452, win 0, length 0
> > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076287474,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 18024, win 0, length 0
> > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076300652,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 31202, win 0, length 0
> > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076306151,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > >
> > > I think the service is only listening locally and not for re= mote
> > > connections?
> >
> > It opens a socket on all addresses.
> > # netstat -tanp | grep auditd
> > tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:60=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN
> > 893/auditd
> >
> > > root@logs:/etc/audit# lsof -i :60
> > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYP= E DEVICE SIZE/OFF NODE NAME
> > > audisp-re 1713 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 17433= =C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> > > 192.168.103.7:60 (ESTABLISHED)
> > >
> > >
> > > How do I see that I am using libwrap?
> >
> > It should have a config line in auditd.conf. If you do not, it de= faults to
> > yes. That means it looks in /etc/hosts.allow and hosts.deny to de= cide.
> > Odds
> > are you put nothing there and the connection proceeds. If I were = to guess,
> > I'd
> > say iptables is blocking your connection.
> >
> > > I have enable_krb5=3Dno in the
> > > auditd.conf on the aggregative server.
> >
> > Good. Cause doing a krb5 connection without setting that up will = cause it
> > to
> > fail also. I'd bet on iptables being the problem.
> >
> > -Steve
> >
> > > > > 192.168.103.7 is the IP address of the central log= server.
> > > > >
> > > > > Notes: My settings are below:
> > > > >
> > > > > on server as well on client:
> > > > > /etc/audisp/audisp-remote
> > > > >
> > > > > remote_server =3D 192.168.103.7
> > > > > port =3D 6999
> > > > > local_port =3D 6999
> > > > > transport =3D tcp
> > > > > queue_file =3D /var/spool/audit/remote.log
> > > > > mode =3D immediate
> > > > > queue_depth =3D 2048
> > > > > format =3D ascii
> > > > > network_retry_time =3D 100
> > > >
> > > > This is probably not your problem but managed is the no= rmal setting
> > > > for
> > > > format. And do you have enable_krb5 set to no?
> > > >
> > > > > I have enabled name_format=3DHOSTNAME only in one = place (in
> > > > > /etc/audisp/audispd.conf - and not in /etc/audit/a= uditd.conf
> > > > >
> > > > > entries in auditd.conf:
> > > > >
> > > > > rtcp_listen_port =3D 6999
> > > > > tcp_listen_queue =3D 5
> > > > > tcp_max_per_addr =3D 10
> > > > > tcp_client_ports =3D 0-65535
> > > > > tcp_client_max_idle =3D 0
> > > >
> > > > What do you have for use_libwrap and enable_krb5?
> > > >
> > > > The ausearcn info from the aggregating server should te= ll the reason
> >
> > why
> >
> > > > the
> > > > connection is rejected.
> > > >
> > > > -Steve
> > > >
> > > > > I see the server is listening on the port 6999 as = below but its not
> > > > > accepting client request.
> > > > > root@logs:/etc# lsof -i :6999
> > > > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0= =C2=A0TYPE DEVICE SIZE/OFF NODE NAME
> > > > > audisp-re 9091 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2= =A0 33671=C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP
> >
> > 192.168.103.7:6999
> >
> > > > ->
> > > >
> > > > > 192.168.103.7:6999 (ESTABLISHED)
> > > > >
> > > > >
> > > > >
> > > > > Best Regards,
> > > > > Rituraj B




--001a113e9164966751055aa9368c-- --===============0244827110126639208== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0244827110126639208==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Wed, 4 Oct 2017 01:30:27 +0530 Message-ID: References: <4285053.hh7HfXqAiY@x2> <5167956.shIrRISz9z@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0405613144030776623==" Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 150345D973 for ; Tue, 3 Oct 2017 20:00:32 +0000 (UTC) Received: from mail-qt0-f171.google.com (mail-qt0-f171.google.com [209.85.216.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6AC5819D053 for ; Tue, 3 Oct 2017 20:00:29 +0000 (UTC) Received: by mail-qt0-f171.google.com with SMTP id f15so15241755qtf.7 for ; Tue, 03 Oct 2017 13:00:29 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0405613144030776623== Content-Type: multipart/alternative; boundary="089e0826dd94560222055aa9f124" --089e0826dd94560222055aa9f124 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Steve, Here is the relevant discussion on disabling the tcp listener on Ubuntu. https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html I do not know what exactly caused change - but now I think it should be enabled in distributions. Please let me know. Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source now. Still audispd is not started now - what is the way / sequence to start auditd and audispd - if you can point me to some reference or a startup script will help. Thanks! On Wed, Oct 4, 2017 at 12:38 AM, Rituraj Buddhisagar wrote: > Sorry if this seems like a spamming, but after I sent the earlier mail - = I > did install from source successfully with only --prefix=3D/usr/local > > I am now facing issue like the below: > > root@guslogs:/etc/init.d# /usr/local/sbin/auditd > /usr/local/sbin/auditd: symbol lookup error: /usr/local/sbin/auditd: > undefined symbol: auparse_destroy_ext > > If someone can point me to a clean and easy install with dependencies fro= m > source it would help. > > Steve, please see my previous mail regarding Ubuntu. Thanks a lot for hel= p! > > > > Best Regards, > Rituraj B > > > On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Buddhisagar > wrote: > >> Hi Steve / Audit List ; >> >> I have this issue because Ubuntu has disabled support for listener in >> their distribution !! >> >> On a blog I found that Debian has not disabled it but the Ubuntu >> distribution has. >> >> I found this when I ran auditd in foreground with -f option. >> >> Listener support is not enabled, ignoring value at line 25 >> tcp_listen_queue_parser called with: 5 >> Listener support is not enabled, ignoring value at line 26 >> tcp_max_per_addr_parser called with: 1 >> Listener support is not enabled, ignoring value at line 27 >> tcp_listen_queue_parser called with: 1024-65535 >> Listener support is not enabled, ignoring value at line 28 >> tcp_client_max_idle_parser called with: 0 >> >> >> Steve, I then went to source site ( https://people.redhat.com/sgru >> bb/audit/ ) and downloaded a zip from there. >> >> I am doing a install using below config command : it fails with >> python-packages dependency. >> ./configure --prefix=3D/usr/local --sbindir=3D/usr/local/sbin >> --with-python=3Dyes --with-libwrap --enable-gssapi-krb5=3Dyes >> --with-libcap-ng=3Dyes >> ............ >> ............. >> ............. >> >> checking for python platform... linux2 >> checking for python script directory... ${prefix}/lib/python2.7/dist-p >> ackages >> checking for python extension module directory... >> ${exec_prefix}/lib/python2.7/dist-packages >> configure: error: Python explicitly requested and python headers were no= t >> found >> root@guslogs:/usr/src/audit-2.7.8# >> >> >> Please can you tell me which dependent packages I need to download and >> configure apart from python? (with a source link would help). >> >> >> I see on the site that you have included - "Improved Remote Logging" in >> the Roadmap :) Appreciate it and anticipating it ! >> >> In the meanwhile I am also thinking of requesting Ubuntu for adding this >> support - not sure why they did this, what is their logic behind this. I >> hereby request if you can do something from your end to discuss with Ubu= ntu >> maintenars to enable this - as there is a HUGE Linux support base out th= ere >> using that distro. >> >> Thanks! >> >> >> >> >> >> >> Best Regards, >> Rituraj B >> >> >> On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb wrote: >> >>> On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote: >>> > Hi Steve, >>> > >>> > I did check IPtables and I am not having any rules in there. I have >>> allowed >>> > the connections in /etc/hosts.allow. But then I do not see auditd >>> listening >>> > on port 60. >>> > It just shows "ESSTABLISHED" connection on the aggregating server - >>> which >>> > is itself! >>> >>> You should not enable audisp-remote on the aggregating server. Auditd >>> handles >>> incoming connections itself. >>> >>> -Steve >>> >>> > root@guslogs:/etc/audit# lsof -i :60 >>> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > audisp-re 2146 root 3u IPv4 20368 0t0 TCP 192.168.103.7:60 >>> -> >>> > 192.168.103.7:60 (ESTABLISHED) >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# netstat -pan | grep 60 >>> > tcp 0 0 0.0.0.0:22 0.0.0.0:* >>> LISTEN >>> > 1260/sshd >>> > tcp 10491 1360 192.168.103.7:60 192.168.103.7:60 >>> > ESTABLISHED 2146/audisp-remote >>> > tcp6 0 0 :::22 :::* >>> LISTEN >>> > 1260/sshd >>> > unix 2 [ ACC ] STREAM LISTENING 16055 1925/0 >>> > /tmp/ssh-h0brbTMA4a/agent.1925 >>> > unix 3 [ ] STREAM CONNECTED 13777 1260/sshd >>> > >>> > unix 2 [ ] DGRAM 17760 1897/syste= md >>> > >>> > unix 3 [ ] STREAM CONNECTED 16036 1897/syste= md >>> > >>> > unix 2 [ ] DGRAM 20360 2136/audit= d >>> > >>> > unix 3 [ ] STREAM CONNECTED 13260 1/init >>> > /run/systemd/journal/stdout >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# netstat -tanp | grep auditd >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# iptables -L >>> > Chain INPUT (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain FORWARD (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain OUTPUT (policy ACCEPT) >>> > target prot opt source destination >>> > root@guslogs:/etc/audit# >>> > root@guslogs:/etc/audit# cat /etc/hosts.allow >>> > # /etc/hosts.allow: list of hosts that are allowed to access the >>> system. >>> > # See the manual pages hosts_access(5) and >>> > hosts_options(5). >>> > # >>> > # Example: ALL: LOCAL @some_netgroup >>> > # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu >>> > # >>> > # If you're going to protect the portmapper use the name "rpcbind" fo= r >>> the >>> > # daemon name. See rpcbind(8) and rpc.mountd(8) for further >>> information. >>> > # >>> > >>> > ALL: ALL >>> > root@guslogs:/etc/audit# >>> > >>> > >>> > Best Regards, >>> > Rituraj B >>> > >>> > On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb wrote= : >>> > > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrot= e: >>> > > > P >>> > > > =E2=80=8Blease see inline- >>> > > > >>> > > > regards >>> > > > =E2=80=8B >>> > > > >>> > > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb >>> wrote: >>> > > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar >>> wrote: >>> > > > > > Hi >>> > > > > > >>> > > > > > I tried my best to configure the audisp-remote. >>> > > > > > I am getting below error on the client machine in >>> /var/log/syslog. >>> > > > > > >>> > > > > > Oct 2 14:41:15 xxxxxx audisp-remote: Error connecting to >>> > > >>> > > 192.168.103.7: >>> > > > > > Connection refused >>> > > > > >>> > > > > On the server, what do you get for: >>> > > > > >>> > > > > ausearch --start recent -m DAEMON_ACCEPT -i >>> > > > > >>> > > > > The server side records some information about why it did not >>> allow a >>> > > > > connection. >>> > > > >>> > > > =E2=80=8BI dont see any info in here. >>> > > > >>> > > > # ausearch --start recent -m DAEMON_ACCEPT -i >>> > > > >>> > > >>> > > Then its not connecting at all. Maybe your firewall is blocking it. >>> Maybe >>> > > selinux is blocking it? Once auditd sees its socket is readable, it >>> calls >>> > > accept(2) and there is no path through the code that doesn't log an >>> event >>> > > with >>> > > a reason. Every possible failure logs a distinct reason why the >>> connection >>> > > failed. >>> > > >>> > > > I tried without --start & -i options as well. >>> > > >>> > > --start today if you didn't connect within 10 minutes of running th= e >>> > > command. >>> > > >>> > > > But when I do a tcpdump on central server, I do see requests >>> coming in. >>> > > >>> > > (I >>> > > >>> > > > changed port to 60). >>> > > > # tcpdump -i eth1 '( port 60 )' >>> > > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076269451, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscal= e >>> 7], >>> > > > length 0 >>> > > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0= , >>> ack >>> > > > 4076269452, win 0, length 0 >>> > > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076287474, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscal= e >>> 7], >>> > > > length 0 >>> > > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0= , >>> ack >>> > > > 18024, win 0, length 0 >>> > > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076300652, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscal= e >>> 7], >>> > > > length 0 >>> > > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0= , >>> ack >>> > > > 31202, win 0, length 0 >>> > > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq >>> > > >>> > > 4076306151, >>> > > >>> > > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscal= e >>> 7], >>> > > > length 0 >>> > > > >>> > > > I think the service is only listening locally and not for remote >>> > > > connections? >>> > > >>> > > It opens a socket on all addresses. >>> > > # netstat -tanp | grep auditd >>> > > tcp 0 0 0.0.0.0:60 0.0.0.0:* >>> LISTEN >>> > > 893/auditd >>> > > >>> > > > root@logs:/etc/audit# lsof -i :60 >>> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > > > audisp-re 1713 root 3u IPv4 17433 0t0 TCP >>> 192.168.103.7:60-> >>> > > > 192.168.103.7:60 (ESTABLISHED) >>> > > > >>> > > > >>> > > > How do I see that I am using libwrap? >>> > > >>> > > It should have a config line in auditd.conf. If you do not, it >>> defaults to >>> > > yes. That means it looks in /etc/hosts.allow and hosts.deny to >>> decide. >>> > > Odds >>> > > are you put nothing there and the connection proceeds. If I were to >>> guess, >>> > > I'd >>> > > say iptables is blocking your connection. >>> > > >>> > > > I have enable_krb5=3Dno in the >>> > > > auditd.conf on the aggregative server. >>> > > >>> > > Good. Cause doing a krb5 connection without setting that up will >>> cause it >>> > > to >>> > > fail also. I'd bet on iptables being the problem. >>> > > >>> > > -Steve >>> > > >>> > > > > > 192.168.103.7 is the IP address of the central log server. >>> > > > > > >>> > > > > > Notes: My settings are below: >>> > > > > > >>> > > > > > on server as well on client: >>> > > > > > /etc/audisp/audisp-remote >>> > > > > > >>> > > > > > remote_server =3D 192.168.103.7 >>> > > > > > port =3D 6999 >>> > > > > > local_port =3D 6999 >>> > > > > > transport =3D tcp >>> > > > > > queue_file =3D /var/spool/audit/remote.log >>> > > > > > mode =3D immediate >>> > > > > > queue_depth =3D 2048 >>> > > > > > format =3D ascii >>> > > > > > network_retry_time =3D 100 >>> > > > > >>> > > > > This is probably not your problem but managed is the normal >>> setting >>> > > > > for >>> > > > > format. And do you have enable_krb5 set to no? >>> > > > > >>> > > > > > I have enabled name_format=3DHOSTNAME only in one place (in >>> > > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf >>> > > > > > >>> > > > > > entries in auditd.conf: >>> > > > > > >>> > > > > > rtcp_listen_port =3D 6999 >>> > > > > > tcp_listen_queue =3D 5 >>> > > > > > tcp_max_per_addr =3D 10 >>> > > > > > tcp_client_ports =3D 0-65535 >>> > > > > > tcp_client_max_idle =3D 0 >>> > > > > >>> > > > > What do you have for use_libwrap and enable_krb5? >>> > > > > >>> > > > > The ausearcn info from the aggregating server should tell the >>> reason >>> > > >>> > > why >>> > > >>> > > > > the >>> > > > > connection is rejected. >>> > > > > >>> > > > > -Steve >>> > > > > >>> > > > > > I see the server is listening on the port 6999 as below but >>> its not >>> > > > > > accepting client request. >>> > > > > > root@logs:/etc# lsof -i :6999 >>> > > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > > > > > audisp-re 9091 root 3u IPv4 33671 0t0 TCP >>> > > >>> > > 192.168.103.7:6999 >>> > > >>> > > > > -> >>> > > > > >>> > > > > > 192.168.103.7:6999 (ESTABLISHED) >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > Best Regards, >>> > > > > > Rituraj B >>> >>> >>> >> > --089e0826dd94560222055aa9f124 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Steve,

Here is the releva= nt discussion on disabling the tcp listener on Ubuntu.
https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html=

<= font color=3D"#20124d" face=3D"verdana, sans-serif">I do not know what exac= tly caused change - but now I think it should be enabled in distributions.= =C2=A0

Please let me know.

Btw, I got auditd running (by setting= LD_LIBRARY_PATH variable) from source now. Still audispd is not started no= w - what is the way / sequence to start auditd and audispd - if you can poi= nt me to some reference or a startup script will help.
<= br>
Thanks!
<= font color=3D"#20124d" face=3D"verdana, sans-serif">





=

On Wed, Oct 4, 2017 at 12:38 AM, Rituraj Bud= dhisagar <rituraj@vayana.com> wrote:
Sorry if this seems like a spamming, = but after I sent the earlier mail - I did install from source successfully = with only --prefix=3D/usr/local=C2=A0

I am now= facing issue like the below:

root@guslogs:/etc/init.d# /usr/l= ocal/sbin/auditd=C2=A0
/usr/local/sbin/auditd: symbol lookup error: /usr/local/= sbin/auditd: undefined symbol: auparse_destroy_ext

If someone can point me to a clean and easy install with dependencies = from source it would help.=C2=A0

Steve, please= see my previous mail regarding Ubuntu. Thanks a lot for help!
=



Best Regards,
Rituraj B
<= /div>

On Wed, Oct 4, 2017 at 12:10 AM, Rituraj Bud= dhisagar <rituraj@vayana.com> wrote:
Hi Steve / Audit List ;
<= br>
I have this issue because Ubuntu has disabled support for l= istener in their distribution !!=C2=A0

On a bl= og I found that Debian has not disabled it but the Ubuntu distribution has.=

I found this when I ran auditd in foreground = with -f option.

Listener support is not e= nabled, ignoring value at line 25
tcp_listen_queue_parser called = with: 5
Listener support is not enabled, ignoring value at line 2= 6
tcp_max_per_addr_parser called with: 1
Listener suppo= rt is not enabled, ignoring value at line 27
tcp_listen_queue_par= ser called with: 1024-65535
Listener support is not enabled, igno= ring value at line 28
tcp_client_max_idle_parser called with: 0


Steve, I then went to sour= ce site ( https://people.redhat.com/sgrubb/audit/ ) and downloaded a zi= p from there.

I am doing a install using below= config command : it fails with python-packages dependency.=C2=A0
./configure --prefix= =3D/usr/local --sbindir=3D/usr/local/sbin --with-python=3Dyes --with-libwra= p --enable-gssapi-krb5=3Dyes --with-libcap-ng=3Dyes
............
.............
.......= ......


=
=
Best Regards,
Rituraj B

<= /div>

On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb = <sgrubb@redhat.com> wrote:
On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote= :
> Hi Steve,
>
> I did check IPtables and I am not having any rules in there. I have al= lowed
> the connections in /etc/hosts.allow. But then I do not see auditd list= ening
> on port 60.
> It just shows "ESSTABLISHED" connection on the aggregating s= erver - which
> is itself!

You should not enable audisp-remote on the aggregating server. Audit= d handles
incoming connections itself.

-Steve

> root@guslogs:/etc/audit# lsof -i :60
> COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYPE DEVICE S= IZE/OFF NODE NAME
> audisp-re 2146 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 20368=C2=A0 =C2= =A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -pan | grep 60
> tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:22=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN
>=C2=A0 =C2=A0 =C2=A0 1260/sshd
> tcp=C2=A0 =C2=A0 10491=C2=A0 =C2=A01360 192.168.103.7:60=C2=A0 =C2= =A0 =C2=A0 =C2=A0 192.168.103.7:60
>=C2=A0 ESTABLISHED 2146/audisp-remote
> tcp6=C2=A0 =C2=A0 =C2=A0 =C2=A00=C2=A0 =C2=A0 =C2=A0 0 :::22=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:::*=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 LISTEN
>=C2=A0 =C2=A0 =C2=A0 1260/sshd
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ACC ]=C2=A0 =C2=A0 =C2=A0STREAM=C2= =A0 =C2=A0 =C2=A0LISTENING=C2=A0 =C2=A0 =C2=A016055=C2=A0 =C2=A0 1925/0
>=C2=A0 =C2=A0 /tmp/ssh-h0brbTMA4a/agent.1925
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A013777=C2=A0 =C2=A0 1= 260/sshd
>
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= DGRAM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 17760=C2=A0 =C2=A0 1897/systemd
>
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A016036=C2=A0 =C2=A0 1= 897/systemd
>
> unix=C2=A0 2=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= DGRAM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = 20360=C2=A0 =C2=A0 2136/auditd
>
> unix=C2=A0 3=C2=A0 =C2=A0 =C2=A0 [ ]=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= STREAM=C2=A0 =C2=A0 =C2=A0CONNECTED=C2=A0 =C2=A0 =C2=A013260=C2=A0 =C2=A0 1= /init
>=C2=A0 =C2=A0 /run/systemd/journal/stdout
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -tanp | grep auditd
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# iptables -L
> Chain INPUT (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
>
> Chain FORWARD (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
>
> Chain OUTPUT (policy ACCEPT)
> target=C2=A0 =C2=A0 =C2=A0prot opt source=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0destination
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# cat /etc/hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the syste= m.
> #=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:=C2=A0 =C2=A0 ALL: LOCAL @some_netgroup
> #=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ALL: .foobar.edu EXCEPT <= a href=3D"http://terminalserver.foobar.edu" rel=3D"noreferrer" target=3D"_b= lank">terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpc= bind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further informatio= n.
> #
>
> ALL: ALL
> root@guslogs:/etc/audit#
>
>
> Best Regards,
> Rituraj B
>
> On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wr= ote:
> > > P
> > > =E2=80=8Blease see inline-
> > >
> > > regards
> > > =E2=80=8B
> > >
> > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:=
> > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddh= isagar wrote:
> > > > > Hi
> > > > >
> > > > > I tried my best to configure the audisp-remote. > > > > > I am getting below error on the client machine in = /var/log/syslog.
> > > > >
> > > > > Oct=C2=A0 2 14:41:15 xxxxxx audisp-remote: Error c= onnecting to
> >
> > 192.168.103.7:
> > > > > Connection refused
> > > >
> > > > On the server, what do you get for:
> > > >
> > > > ausearch --start recent -m DAEMON_ACCEPT -i
> > > >
> > > > The server side records some information about why it d= id not allow a
> > > > connection.
> > >
> > > =E2=80=8BI dont see any info in here.
> > >
> > > # ausearch --start recent -m DAEMON_ACCEPT -i
> > > <no matches>
> >
> > Then its not connecting at all. Maybe your firewall is blocking i= t. Maybe
> > selinux is blocking it? Once auditd sees its socket is readable, = it calls
> > accept(2) and there is no path through the code that doesn't = log an event
> > with
> > a reason. Every possible failure logs a distinct reason why the c= onnection
> > failed.
> >
> > > I tried without --start & -i options as well.
> >
> > --start today if you didn't connect within 10 minutes of runn= ing the
> > command.
> >
> > > But when I do a tcpdump on central server, I do see requests= coming in.
> >
> > (I
> >
> > > changed port to 60).
> > > # tcpdump -i eth1 '( port 60 )'
> > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076269451,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 4076269452, win 0, length 0
> > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076287474,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 18024, win 0, length 0
> > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076300652,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.= ], seq 0, ack
> > > 31202, win 0, length 0
> > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S]= , seq
> >
> > 4076306151,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,= wscale 7],
> > > length 0
> > >
> > > I think the service is only listening locally and not for re= mote
> > > connections?
> >
> > It opens a socket on all addresses.
> > # netstat -tanp | grep auditd
> > tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 0 0.0.0.0:60=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0.0.0.0:*=C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0LISTEN
> > 893/auditd
> >
> > > root@logs:/etc/audit# lsof -i :60
> > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0 =C2=A0TYP= E DEVICE SIZE/OFF NODE NAME
> > > audisp-re 1713 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2=A0 17433= =C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP 192.168.103.7:60->
> > > 192.168.103.7:60 (ESTABLISHED)
> > >
> > >
> > > How do I see that I am using libwrap?
> >
> > It should have a config line in auditd.conf. If you do not, it de= faults to
> > yes. That means it looks in /etc/hosts.allow and hosts.deny to de= cide.
> > Odds
> > are you put nothing there and the connection proceeds. If I were = to guess,
> > I'd
> > say iptables is blocking your connection.
> >
> > > I have enable_krb5=3Dno in the
> > > auditd.conf on the aggregative server.
> >
> > Good. Cause doing a krb5 connection without setting that up will = cause it
> > to
> > fail also. I'd bet on iptables being the problem.
> >
> > -Steve
> >
> > > > > 192.168.103.7 is the IP address of the central log= server.
> > > > >
> > > > > Notes: My settings are below:
> > > > >
> > > > > on server as well on client:
> > > > > /etc/audisp/audisp-remote
> > > > >
> > > > > remote_server =3D 192.168.103.7
> > > > > port =3D 6999
> > > > > local_port =3D 6999
> > > > > transport =3D tcp
> > > > > queue_file =3D /var/spool/audit/remote.log
> > > > > mode =3D immediate
> > > > > queue_depth =3D 2048
> > > > > format =3D ascii
> > > > > network_retry_time =3D 100
> > > >
> > > > This is probably not your problem but managed is the no= rmal setting
> > > > for
> > > > format. And do you have enable_krb5 set to no?
> > > >
> > > > > I have enabled name_format=3DHOSTNAME only in one = place (in
> > > > > /etc/audisp/audispd.conf - and not in /etc/audit/a= uditd.conf
> > > > >
> > > > > entries in auditd.conf:
> > > > >
> > > > > rtcp_listen_port =3D 6999
> > > > > tcp_listen_queue =3D 5
> > > > > tcp_max_per_addr =3D 10
> > > > > tcp_client_ports =3D 0-65535
> > > > > tcp_client_max_idle =3D 0
> > > >
> > > > What do you have for use_libwrap and enable_krb5?
> > > >
> > > > The ausearcn info from the aggregating server should te= ll the reason
> >
> > why
> >
> > > > the
> > > > connection is rejected.
> > > >
> > > > -Steve
> > > >
> > > > > I see the server is listening on the port 6999 as = below but its not
> > > > > accepting client request.
> > > > > root@logs:/etc# lsof -i :6999
> > > > > COMMAND=C2=A0 =C2=A0 PID USER=C2=A0 =C2=A0FD=C2=A0= =C2=A0TYPE DEVICE SIZE/OFF NODE NAME
> > > > > audisp-re 9091 root=C2=A0 =C2=A0 3u=C2=A0 IPv4=C2= =A0 33671=C2=A0 =C2=A0 =C2=A0 0t0=C2=A0 TCP
> >
> > 192.168.103.7:6999
> >
> > > > ->
> > > >
> > > > > 192.168.103.7:6999 (ESTABLISHED)
> > > > >
> > > > >
> > > > >
> > > > > Best Regards,
> > > > > Rituraj B





--089e0826dd94560222055aa9f124-- --===============0405613144030776623== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0405613144030776623==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audisp-remote - connection refused. Date: Tue, 03 Oct 2017 16:22:40 -0400 Message-ID: <3549698.YC68fSqtMQ@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Rituraj Buddhisagar Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > Steve, > > Here is the relevant discussion on disabling the tcp listener on Ubuntu. > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html > > I do not know what exactly caused change - but now I think it should be > enabled in distributions. > > Please let me know. > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from source > now. Still audispd is not started now - what is the way / sequence to start > auditd and audispd - if you can point me to some reference or a startup > script will help. Since you installed in a non-standard location, you probably need to adjust paths in the config files. What I would recommend is not to build and install by hand, but to use their package manager to build a new package with listening enabled. The ./configure script takes a --disable-listener parameter. So, its probably as simple as deleting that in the source package and rebuilding. That said, I have no idea how to build a package on Debian or Ubuntu. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Wed, 4 Oct 2017 19:31:49 +0530 Message-ID: References: <3549698.YC68fSqtMQ@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7342493811933273911==" Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DF8575D964 for ; Wed, 4 Oct 2017 14:01:53 +0000 (UTC) Received: from mail-qt0-f178.google.com (mail-qt0-f178.google.com [209.85.216.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8A5152C9759 for ; Wed, 4 Oct 2017 14:01:51 +0000 (UTC) Received: by mail-qt0-f178.google.com with SMTP id d13so18640240qta.5 for ; Wed, 04 Oct 2017 07:01:51 -0700 (PDT) In-Reply-To: <3549698.YC68fSqtMQ@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============7342493811933273911== Content-Type: multipart/alternative; boundary="001a11455ee09eda83055ab90ce0" --001a11455ee09eda83055ab90ce0 Content-Type: text/plain; charset="UTF-8" Hi Steve / List Now, I have built auditd from source as per the mail thread and then also created a startup script. The auditd is starting successfully. The client is able to connect to the aggregating server. *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): addr=192.168.103.2 port=60 res=success* I have made the necessary change in the server in /etc/audit/auditd.conf *log_format = NOLOG* I do not see any logs being populated - I checked log file on client, the server - also the /var/spool/audit/remote.log on the client. On the server side /var/spool/audit/remote.log is empty (I am not sure if this is something I should be checking at all) I am clueless as to what is happening. Is there some way to debug this? Where are these logs getting lost? When change the log_format back to RAW I do see the logs getting created on the client. I did my best reading on net and debugging this - but no success. Please help. On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb wrote: > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > Steve, > > > > Here is the relevant discussion on disabling the tcp listener on Ubuntu. > > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html > > > > I do not know what exactly caused change - but now I think it should be > > enabled in distributions. > > > > Please let me know. > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > source > > now. Still audispd is not started now - what is the way / sequence to > start > > auditd and audispd - if you can point me to some reference or a startup > > script will help. > > Since you installed in a non-standard location, you probably need to adjust > paths in the config files. > > What I would recommend is not to build and install by hand, but to use > their > package manager to build a new package with listening enabled. The > ./configure > script takes a --disable-listener parameter. So, its probably as simple as > deleting that in the source package and rebuilding. > > That said, I have no idea how to build a package on Debian or Ubuntu. > > -Steve > --001a11455ee09eda83055ab90ce0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Steve / List=C2=A0
=

Now= , I have built auditd from source as per the mail thread and then also crea= ted a startup script.

The auditd is starting successfully.=C2=A0

The cl= ient is able to connect to the aggregating server.=C2=A0

node=3Dguslogs type=3DDAEMON_ACCEPT msg=3Daudit(150712= 5123.240:7272): addr=3D192.168.103.2 port=3D60 res=3Dsuccess
=


I have made the necessary change in the server i= n /etc/audit/auditd.conf

log_format =3D NOLOG

I do not see any logs being populated - I checked log file on client, th= e server - also the /var/spool/audit/remote.log on the client.
=
On the server side /var/spool/audit/remote.log is empty (I am not su= re if this is something I should be checking at all)
I am clueless as to what is happening. Is there some w= ay to debug this? Where are these logs getting lost?
Whe= n change the log_format back to RAW I do see the logs getting created on th= e client.=C2=A0

I did my best re= ading on net and debugging this - but no success. Please help.=C2=A0=


=

On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb = <sgrubb@redhat.com> wrote:
On Tuesday, October 3, 2017 4:00= :27 PM EDT Rituraj Buddhisagar wrote:
> Steve,
>
> Here is the relevant discussion on disabling the tcp listener on Ubunt= u.
> https://www.redhat.com/= archives/linux-audit/2012-September/msg00027.html
>
> I do not know what exactly caused change - but now I think it should b= e
> enabled in distributions.
>
> Please let me know.
>
> Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from s= ource
> now. Still audispd is not started now - what is the way / sequence to = start
> auditd and audispd - if you can point me to some reference or a startu= p
> script will help.

Since you installed in a non-standard location, you probably need to= adjust
paths in the config files.

What I would recommend is not to build and install by hand, but to use thei= r
package manager to build a new package with listening enabled. The ./config= ure
script takes a --disable-listener parameter. So, its probably as simple as<= br> deleting that in the source package and rebuilding.

That said, I have no idea how to build a package on Debian or Ubuntu.

-Steve

--001a11455ee09eda83055ab90ce0-- --===============7342493811933273911== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7342493811933273911==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audisp-remote - connection refused. Date: Wed, 04 Oct 2017 11:19:40 -0400 Message-ID: <7773077.6JsVQVb1J2@x2> References: <3549698.YC68fSqtMQ@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Rituraj Buddhisagar Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote: > Hi Steve / List > > Now, I have built auditd from source as per the mail thread and then also > created a startup script. > > The auditd is starting successfully. > > The client is able to connect to the aggregating server. > > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): > addr=192.168.103.2 port=60 res=success* > > > I have made the necessary change in the server in /etc/audit/auditd.conf > > *log_format = NOLOG* This is a deprecated option tells it to not write anything to disk. > I do not see any logs being populated - I checked log file on client, the > server - also the /var/spool/audit/remote.log on the client. > On the server side /var/spool/audit/remote.log is empty (I am not sure if > this is something I should be checking at all) > > I am clueless as to what is happening. Is there some way to debug this? Did you modify auditd.conf to have the format be nolog? If so, its an explained condition. Nolog means no logging to disk. > Where are these logs getting lost? > When change the log_format back to RAW I do see the logs getting created on > the client. For remote logging, you should set the format to enriched. This resolves things locally so that the aggregating server can make sense of it later. If you do not want events written to disk on the remote system, set write_logs = no. You should also set name_format = hostname (or something else) in auditd.conf of the remote systems. This is so you can tell who is creating the events in the aggregating server. On the aggregating server, also set the format to enriched. But there you have to have write_logs = yes. Also set name_format = hostname in auditd.conf of the server. I would not recommend setting the name in audispd.conf for any system. -Steve > I did my best reading on net and debugging this - but no success. Please > help. > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb wrote: > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > > Steve, > > > > > > Here is the relevant discussion on disabling the tcp listener on Ubuntu. > > > https://www.redhat.com/archives/linux-audit/2012-September/msg00027.html > > > > > > I do not know what exactly caused change - but now I think it should be > > > enabled in distributions. > > > > > > Please let me know. > > > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > > > > source > > > > > now. Still audispd is not started now - what is the way / sequence to > > > > start > > > > > auditd and audispd - if you can point me to some reference or a startup > > > script will help. > > > > Since you installed in a non-standard location, you probably need to > > adjust > > paths in the config files. > > > > What I would recommend is not to build and install by hand, but to use > > their > > package manager to build a new package with listening enabled. The > > ./configure > > script takes a --disable-listener parameter. So, its probably as simple as > > deleting that in the source package and rebuilding. > > > > That said, I have no idea how to build a package on Debian or Ubuntu. > > > > -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Audisp-remote - connection refused. Date: Wed, 4 Oct 2017 21:32:06 +0530 Message-ID: References: <3549698.YC68fSqtMQ@x2> <7773077.6JsVQVb1J2@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6477840083029961623==" Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5D5E65E1AD for ; Wed, 4 Oct 2017 16:02:10 +0000 (UTC) Received: from mail-qk0-f175.google.com (mail-qk0-f175.google.com [209.85.220.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CCEC73683C for ; Wed, 4 Oct 2017 16:02:08 +0000 (UTC) Received: by mail-qk0-f175.google.com with SMTP id l194so1948684qke.13 for ; Wed, 04 Oct 2017 09:02:08 -0700 (PDT) In-Reply-To: <7773077.6JsVQVb1J2@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============6477840083029961623== Content-Type: multipart/alternative; boundary="001a113e9164cda360055ababa18" --001a113e9164cda360055ababa18 Content-Type: text/plain; charset="UTF-8" HI Steve, I did the necessary, Change in auditd.conf - log_format to ENRICHED. write_logs set to "no" on client and "yes" on aggregating server. name_format was already set in auditd.conf and not in audispd.conf on both the servers. I still do not see any logs coming in /var/log/audit/audit.log on aggregating server. Any debugging tools to see the queue of audisp-remote? The spool file /var/spool/audit/remote.log is not having entries populated (btw I had to create it manually). Thanks! On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb wrote: > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote: > > Hi Steve / List > > > > Now, I have built auditd from source as per the mail thread and then also > > created a startup script. > > > > The auditd is starting successfully. > > > > The client is able to connect to the aggregating server. > > > > > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): > > addr=192.168.103.2 port=60 res=success* > > > > > > I have made the necessary change in the server in /etc/audit/auditd.conf > > > > *log_format = NOLOG* > > This is a deprecated option tells it to not write anything to disk. > > > I do not see any logs being populated - I checked log file on client, the > > server - also the /var/spool/audit/remote.log on the client. > > On the server side /var/spool/audit/remote.log is empty (I am not sure if > > this is something I should be checking at all) > > > > I am clueless as to what is happening. Is there some way to debug this? > > Did you modify auditd.conf to have the format be nolog? If so, its an > explained condition. Nolog means no logging to disk. > > > Where are these logs getting lost? > > When change the log_format back to RAW I do see the logs getting created > on > > the client. > > For remote logging, you should set the format to enriched. This resolves > things locally so that the aggregating server can make sense of it later. > If > you do not want events written to disk on the remote system, set > write_logs = > no. You should also set name_format = hostname (or something else) in > auditd.conf of the remote systems. This is so you can tell who is creating > the > events in the aggregating server. > > On the aggregating server, also set the format to enriched. But there you > have > to have write_logs = yes. Also set name_format = hostname in auditd.conf of > the server. > > I would not recommend setting the name in audispd.conf for any system. > > -Steve > > > I did my best reading on net and debugging this - but no success. Please > > help. > > > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb wrote: > > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > > > Steve, > > > > > > > > Here is the relevant discussion on disabling the tcp listener on > Ubuntu. > > > > https://www.redhat.com/archives/linux-audit/2012- > September/msg00027.html > > > > > > > > I do not know what exactly caused change - but now I think it should > be > > > > enabled in distributions. > > > > > > > > Please let me know. > > > > > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > > > > > > source > > > > > > > now. Still audispd is not started now - what is the way / sequence to > > > > > > start > > > > > > > auditd and audispd - if you can point me to some reference or a > startup > > > > script will help. > > > > > > Since you installed in a non-standard location, you probably need to > > > adjust > > > paths in the config files. > > > > > > What I would recommend is not to build and install by hand, but to use > > > their > > > package manager to build a new package with listening enabled. The > > > ./configure > > > script takes a --disable-listener parameter. So, its probably as > simple as > > > deleting that in the source package and rebuilding. > > > > > > That said, I have no idea how to build a package on Debian or Ubuntu. > > > > > > -Steve > > > --001a113e9164cda360055ababa18 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
HI Steve,

I did the necessary,=C2=A0
<= div class=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-si= ze:small;color:#20124d">Change in auditd.conf - log_format to ENRICHED.
write_logs set to "no" on client and &= quot;yes" on aggregating server.
name_fo= rmat was already set in auditd.conf and not in audispd.conf on both the ser= vers.

I st= ill do not see any logs coming in /var/log/audit/audit.log on aggregating s= erver.

Any= debugging tools to see the queue of audisp-remote? The spool file /var/spo= ol/audit/remote.log is not having entries populated (btw I had to create it= manually).

Thanks!
=C2=A0



On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb = <sgrubb@redhat.com> wrote:
On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Bud= dhisagar wrote:
> Hi Steve / List
>
> Now, I have built auditd from source as per the mail thread and then a= lso
> created a startup script.
>
> The auditd is starting successfully.
>
> The client is able to connect to the aggregating server.
>
>
> *node=3Dguslogs type=3DDAEMON_ACCEPT msg=3Daudit(1507125123.240= :7272):
> addr=3D192.168.103.2 port=3D60 res=3Dsuccess*
>
>
> I have made the necessary change in the server in /etc/audit/auditd.co= nf
>
> *log_format =3D NOLOG*

This is a deprecated option tells it to not write anything to disk.

> I do not see any logs being populated - I checked log file on client, = the
> server - also the /var/spool/audit/remote.log on the client.
> On the server side /var/spool/audit/remote.log is empty (I am not sure= if
> this is something I should be checking at all)
>
> I am clueless as to what is happening. Is there some way to debug this= ?

Did you modify auditd.conf to have the format be nolog? If so, its a= n
explained condition. Nolog means no logging to disk.

> Where are these logs getting lost?
> When change the log_format back to RAW I do see the logs getting creat= ed on
> the client.

For remote logging, you should set the format to enriched. This reso= lves
things locally so that the aggregating server can make sense of it later. I= f
you do not want events written to disk on the remote system, set write_logs= =3D
no. You should also set name_format =3D hostname (or something else) in
auditd.conf of the remote systems. This is so you can tell who is creating = the
events in the aggregating server.

On the aggregating server, also set the format to enriched. But there you h= ave
to have write_logs =3D yes. Also set name_format =3D hostname in auditd.con= f of
the server.

I would not recommend setting the name in audispd.conf for any system.

-Steve

> I did my best reading on net and debugging this - but no success. Plea= se
> help.
>
> On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wr= ote:
> > > Steve,
> > >
> > > Here is the relevant discussion on disabling the tcp listene= r on Ubuntu.
> > > https://www.r= edhat.com/archives/linux-audit/2012-September/msg00027.html > > >
> > > I do not know what exactly caused change - but now I think i= t should be
> > > enabled in distributions.
> > >
> > > Please let me know.
> > >
> > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variab= le) from
> >
> > source
> >
> > > now. Still audispd is not started now - what is the way / se= quence to
> >
> > start
> >
> > > auditd and audispd - if you can point me to some reference o= r a startup
> > > script will help.
> >
> > Since you installed in a non-standard location, you probably need= to
> > adjust
> > paths in the config files.
> >
> > What I would recommend is not to build and install by hand, but t= o use
> > their
> > package manager to build a new package with listening enabled. Th= e
> > ./configure
> > script takes a --disable-listener parameter. So, its probably as = simple as
> > deleting that in the source package and rebuilding.
> >
> > That said, I have no idea how to build a package on Debian or Ubu= ntu.
> >
> > -Steve



--001a113e9164cda360055ababa18-- --===============6477840083029961623== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6477840083029961623==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audisp-remote - connection refused. Date: Wed, 04 Oct 2017 12:28:45 -0400 Message-ID: <2019172.WnFgeQVnjg@x2> References: <7773077.6JsVQVb1J2@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Rituraj Buddhisagar Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, October 4, 2017 12:02:06 PM EDT Rituraj Buddhisagar wrote: > HI Steve, > > I did the necessary, > Change in auditd.conf - log_format to ENRICHED. > write_logs set to "no" on client and "yes" on aggregating server. > name_format was already set in auditd.conf and not in audispd.conf on both > the servers. > > I still do not see any logs coming in /var/log/audit/audit.log on > aggregating server. You can run auditd -f on both systems to see on screen what is happening. Then on the remote, auditctl -m test. You should see it on the remote screen followed by the server screen. If you do, then something is wrong with your config file paths. If you don't see events, I think you have some troubleshooting of your own to do. I can't see your system so you'll have to figure it out. I also updated the INSTALL file in github to better reflect how to build and install it from scratch. > Any debugging tools to see the queue of audisp-remote? The spool file > /var/spool/audit/remote.log is not having entries populated (btw I had to > create it manually). It only uses a spool file if the mode is forward. Immediate mode does not use it. > On Wed, Oct 4, 2017 at 8:49 PM, Steve Grubb wrote: > > On Wednesday, October 4, 2017 10:01:49 AM EDT Rituraj Buddhisagar wrote: > > > Hi Steve / List > > > > > > Now, I have built auditd from source as per the mail thread and then > > > also > > > created a startup script. > > > > > > The auditd is starting successfully. > > > > > > The client is able to connect to the aggregating server. > > > > > > > > > *node=guslogs type=DAEMON_ACCEPT msg=audit(1507125123.240:7272): > > > addr=192.168.103.2 port=60 res=success* > > > > > > > > > I have made the necessary change in the server in /etc/audit/auditd.conf > > > > > > *log_format = NOLOG* > > > > This is a deprecated option tells it to not write anything to disk. > > > > > I do not see any logs being populated - I checked log file on client, > > > the > > > server - also the /var/spool/audit/remote.log on the client. > > > On the server side /var/spool/audit/remote.log is empty (I am not sure > > > if > > > this is something I should be checking at all) > > > > > > I am clueless as to what is happening. Is there some way to debug this? > > > > Did you modify auditd.conf to have the format be nolog? If so, its an > > explained condition. Nolog means no logging to disk. > > > > > Where are these logs getting lost? > > > When change the log_format back to RAW I do see the logs getting created > > > > on > > > > > the client. > > > > For remote logging, you should set the format to enriched. This resolves > > things locally so that the aggregating server can make sense of it later. > > If > > you do not want events written to disk on the remote system, set > > write_logs = > > no. You should also set name_format = hostname (or something else) in > > auditd.conf of the remote systems. This is so you can tell who is creating > > the > > events in the aggregating server. > > > > On the aggregating server, also set the format to enriched. But there you > > have > > to have write_logs = yes. Also set name_format = hostname in auditd.conf > > of > > the server. > > > > I would not recommend setting the name in audispd.conf for any system. > > > > -Steve > > > > > I did my best reading on net and debugging this - but no success. Please > > > help. > > > > > > On Wed, Oct 4, 2017 at 1:52 AM, Steve Grubb wrote: > > > > On Tuesday, October 3, 2017 4:00:27 PM EDT Rituraj Buddhisagar wrote: > > > > > Steve, > > > > > > > > > > Here is the relevant discussion on disabling the tcp listener on > > > > Ubuntu. > > > > > > > https://www.redhat.com/archives/linux-audit/2012-> > > > September/msg00027.html > > > > > > > I do not know what exactly caused change - but now I think it should > > > > be > > > > > > > enabled in distributions. > > > > > > > > > > Please let me know. > > > > > > > > > > Btw, I got auditd running (by setting LD_LIBRARY_PATH variable) from > > > > > > > > source > > > > > > > > > now. Still audispd is not started now - what is the way / sequence > > > > > to > > > > > > > > start > > > > > > > > > auditd and audispd - if you can point me to some reference or a > > > > startup > > > > > > > script will help. > > > > > > > > Since you installed in a non-standard location, you probably need to > > > > adjust > > > > paths in the config files. > > > > > > > > What I would recommend is not to build and install by hand, but to use > > > > their > > > > package manager to build a new package with listening enabled. The > > > > ./configure > > > > script takes a --disable-listener parameter. So, its probably as > > > > simple as > > > > > > deleting that in the source package and rebuilding. > > > > > > > > That said, I have no idea how to build a package on Debian or Ubuntu. > > > > > > > > -Steve