Hello.

I try to use auditd as a server to gather logs from remote clients.

1) My conditions:

rpm -q audit
audit-2.8.4

uname -r
4.9.124

ipv6 is disable

2) Problem's symptom:

after every reboot of server machine i have

from journalctl:

auditd[765]: Cannot create tcp listener socket
systemd[1]: auditd.service: Control process exited, code=exited status=1
auditd[764]: Cannot daemonize (Success)
systemd[1]: auditd.service: Failed with result 'exit-code'.
auditd[764]: The audit daemon is exiting.
systemd[1]: Failed to start Security Auditing Service.

State     Recv-Q      Send-Q             Local Address:Port             Peer Address:Port

Later, on system boot, the service can be started manually without error.

3) Workarounds:

a) systemd

The header of auditd.service tells:

## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.

But this leads to circular dependencies in systemd, because auditd says: "Before=sysinit.target", and network-online.target has not direct "After=sysinit.target".

Systemd just skips auditd from boot in this case.

Of course, i can remove auditd's dep on sysinit.target, this breaks a loop.

b) ipv4 and ipv6

I've added some debug messages into auditd to see what happens.

Actually ipv6 module is disabled, but in this moment 'getaddrinfo' within 'auditd_tcp_listen_init' returns both structures - AF_INET and AF_INET6.

While auditd attempts to create AF_INET6 socket (skipping AF_INET) there is an error message: "Cannot create tcp listener socket", errno EAFNOSUPPORT.

No chances to start.

After system boot there is AF_INET only.

I have attached the patch if one needs.

Could somebody suggest a proper solution to my problem?

Thank you in advance!