Hi Steve / Audit List ;

I have this issue because Ubuntu has disabled support for listener in their distribution !! 

On a blog I found that Debian has not disabled it but the Ubuntu distribution has.

I found this when I ran auditd in foreground with -f option.

Listener support is not enabled, ignoring value at line 25

tcp_listen_queue_parser called with: 5

Listener support is not enabled, ignoring value at line 26

tcp_max_per_addr_parser called with: 1

Listener support is not enabled, ignoring value at line 27

tcp_listen_queue_parser called with: 1024-65535

Listener support is not enabled, ignoring value at line 28

tcp_client_max_idle_parser called with: 0

Steve, I then went to source site ( https://people.redhat.com/sgrubb/audit/ ) and downloaded a zip from there.

I am doing a install using below config command : it fails with python-packages dependency. 

./configure --prefix=/usr/local --sbindir=/usr/local/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes

............

.............

.............

checking for python platform... linux2

checking for python script directory... ${prefix}/lib/python2.7/dist-packages

checking for python extension module directory... ${exec_prefix}/lib/python2.7/dist-packages

configure: error: Python explicitly requested and python headers were not found

root@guslogs:/usr/src/audit-2.7.8# 

Please can you tell me which dependent packages I need to download and configure apart from python? (with a source link would help).

I see on the site that you have included - "Improved Remote Logging" in the Roadmap :) Appreciate it and anticipating it !

In the meanwhile I am also thinking of requesting Ubuntu for adding this support - not sure why they did this, what is their logic behind this. I hereby request if you can do something from your end to discuss with Ubuntu maintenars to enable this - as there is a HUGE Linux support base out there using that distro. 

Thanks!

Best Regards, Rituraj B

On Tue, Oct 3, 2017 at 8:38 PM, Steve Grubb <sgrubb@redhat.com> wrote:

On Tuesday, October 3, 2017 8:52:48 AM EDT Rituraj Buddhisagar wrote:
> Hi Steve,
>
> I did check IPtables and I am not having any rules in there. I have allowed
> the connections in /etc/hosts.allow. But then I do not see auditd listening
> on port 60.
> It just shows "ESSTABLISHED" connection on the aggregating server - which
> is itself!

You should not enable audisp-remote on the aggregating server. Auditd handles
incoming connections itself.

-Steve

> root@guslogs:/etc/audit# lsof -i :60
> COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> audisp-re 2146 root    3u  IPv4  20368      0t0  TCP 192.168.103.7:60->
> 192.168.103.7:60 (ESTABLISHED)
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -pan | grep 60
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
>      1260/sshd
> tcp    10491   1360 192.168.103.7:60        192.168.103.7:60
>  ESTABLISHED 2146/audisp-remote
> tcp6       0      0 :::22                   :::*                    LISTEN
>      1260/sshd
> unix  2      [ ACC ]     STREAM     LISTENING     16055    1925/0
>    /tmp/ssh-h0brbTMA4a/agent.1925
> unix  3      [ ]         STREAM     CONNECTED     13777    1260/sshd
>
> unix  2      [ ]         DGRAM                    17760    1897/systemd
>
> unix  3      [ ]         STREAM     CONNECTED     16036    1897/systemd
>
> unix  2      [ ]         DGRAM                    20360    2136/auditd
>
> unix  3      [ ]         STREAM     CONNECTED     13260    1/init
>    /run/systemd/journal/stdout
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# netstat -tanp | grep auditd
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> root@guslogs:/etc/audit#
> root@guslogs:/etc/audit# cat /etc/hosts.allow
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> #                   See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:    ALL: LOCAL @some_netgroup
> #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "rpcbind" for the
> # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
> #
>
> ALL: ALL
> root@guslogs:/etc/audit#
>
>
> Best Regards,
> Rituraj B
>
> On Tue, Oct 3, 2017 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 2, 2017 11:31:15 PM EDT Rituraj Buddhisagar wrote:
> > > P
> > > ​lease see inline-
> > >
> > > regards
> > > ​
> > >
> > > On Tue, Oct 3, 2017 at 3:28 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > On Monday, October 2, 2017 2:55:51 PM EDT Rituraj Buddhisagar wrote:
> > > > > Hi
> > > > >
> > > > > I tried my best to configure the audisp-remote.
> > > > > I am getting below error on the client machine in /var/log/syslog.
> > > > >
> > > > > Oct  2 14:41:15 xxxxxx audisp-remote: Error connecting to
> >
> > 192.168.103.7:
> > > > > Connection refused
> > > >
> > > > On the server, what do you get for:
> > > >
> > > > ausearch --start recent -m DAEMON_ACCEPT -i
> > > >
> > > > The server side records some information about why it did not allow a
> > > > connection.
> > >
> > > ​I dont see any info in here.
> > >
> > > # ausearch --start recent -m DAEMON_ACCEPT -i
> > > <no matches>
> >
> > Then its not connecting at all. Maybe your firewall is blocking it. Maybe
> > selinux is blocking it? Once auditd sees its socket is readable, it calls
> > accept(2) and there is no path through the code that doesn't log an event
> > with
> > a reason. Every possible failure logs a distinct reason why the connection
> > failed.
> >
> > > I tried without --start & -i options as well.
> >
> > --start today if you didn't connect within 10 minutes of running the
> > command.
> >
> > > But when I do a tcpdump on central server, I do see requests coming in.
> >
> > (I
> >
> > > changed port to 60).
> > > # tcpdump -i eth1 '( port 60 )'
> > > 08:53:56.597946 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> >
> > 4076269451,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > > 08:53:56.597980 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > > 4076269452, win 0, length 0
> > > 08:53:56.598843 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> >
> > 4076287474,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > > 08:53:56.598858 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > > 18024, win 0, length 0
> > > 08:53:56.599164 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> >
> > 4076300652,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > > 08:53:56.599175 IP 192.168.103.7.60 > gusm1.60: Flags [R.], seq 0, ack
> > > 31202, win 0, length 0
> > > 08:53:56.599657 IP gusm1.60 > 192.168.103.7.60: Flags [S], seq
> >
> > 4076306151,
> >
> > > win 29200, options [mss 1460,sackOK,TS val 207316 ecr 0,nop,wscale 7],
> > > length 0
> > >
> > > I think the service is only listening locally and not for remote
> > > connections?
> >
> > It opens a socket on all addresses.
> > # netstat -tanp | grep auditd
> > tcp        0      0 0.0.0.0:60              0.0.0.0:*               LISTEN
> > 893/auditd
> >
> > > root@logs:/etc/audit# lsof -i :60
> > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > audisp-re 1713 root    3u  IPv4  17433      0t0  TCP 192.168.103.7:60->
> > > 192.168.103.7:60 (ESTABLISHED)
> > >
> > >
> > > How do I see that I am using libwrap?
> >
> > It should have a config line in auditd.conf. If you do not, it defaults to
> > yes. That means it looks in /etc/hosts.allow and hosts.deny to decide.
> > Odds
> > are you put nothing there and the connection proceeds. If I were to guess,
> > I'd
> > say iptables is blocking your connection.
> >
> > > I have enable_krb5=no in the
> > > auditd.conf on the aggregative server.
> >
> > Good. Cause doing a krb5 connection without setting that up will cause it
> > to
> > fail also. I'd bet on iptables being the problem.
> >
> > -Steve
> >
> > > > > 192.168.103.7 is the IP address of the central log server.
> > > > >
> > > > > Notes: My settings are below:
> > > > >
> > > > > on server as well on client:
> > > > > /etc/audisp/audisp-remote
> > > > >
> > > > > remote_server = 192.168.103.7
> > > > > port = 6999
> > > > > local_port = 6999
> > > > > transport = tcp
> > > > > queue_file = /var/spool/audit/remote.log
> > > > > mode = immediate
> > > > > queue_depth = 2048
> > > > > format = ascii
> > > > > network_retry_time = 100
> > > >
> > > > This is probably not your problem but managed is the normal setting
> > > > for
> > > > format. And do you have enable_krb5 set to no?
> > > >
> > > > > I have enabled name_format=HOSTNAME only in one place (in
> > > > > /etc/audisp/audispd.conf - and not in /etc/audit/auditd.conf
> > > > >
> > > > > entries in auditd.conf:
> > > > >
> > > > > rtcp_listen_port = 6999
> > > > > tcp_listen_queue = 5
> > > > > tcp_max_per_addr = 10
> > > > > tcp_client_ports = 0-65535
> > > > > tcp_client_max_idle = 0
> > > >
> > > > What do you have for use_libwrap and enable_krb5?
> > > >
> > > > The ausearcn info from the aggregating server should tell the reason
> >
> > why
> >
> > > > the
> > > > connection is rejected.
> > > >
> > > > -Steve
> > > >
> > > > > I see the server is listening on the port 6999 as below but its not
> > > > > accepting client request.
> > > > > root@logs:/etc# lsof -i :6999
> > > > > COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > > > > audisp-re 9091 root    3u  IPv4  33671      0t0  TCP
> >
> > 192.168.103.7:6999
> >
> > > > ->
> > > >
> > > > > 192.168.103.7:6999 (ESTABLISHED)
> > > > >
> > > > >
> > > > >
> > > > > Best Regards,
> > > > > Rituraj B