Hide Forgot
A quick check of the daemon code shows its IPv4 only.
Upstream commits: 5bcbfffbd986304861e225302e75fe19b0cc94bf, 986b7374c25212b7e9edd2a730b067f081fb2aca, and 12c69cacc321cb92ac3179ee2240029364101f34 should solve this issue.
audit-2.8-1.el7 was built to resolve this issue.
It looks like there is still something missing or broken. I am testing with audit-2.8.1-1 and IPv6 connection is refused by remote logging server: ON CLIENT ========= # strace -f -p <audisp> ... [pid 29783] connect(3, {sa_family=AF_INET6, sin6_port=htons(60), inet_pton(AF_INET6, "2620:52:0:25a2:d836:d0ff:fe6e:501d", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ECONNREFUSED (Connection refused) ... # journalctl -xe ... Oct 17 16:28:42 sheep-49.lab.eng.brq.redhat.com audisp-remote[29783]: Error connecting to sheep-29.lab.eng.brq.redhat. ... ON SERVER ========= # netstat -ptna | grep :60 tcp 0 0 0.0.0.0:60 0.0.0.0:* LISTEN 28521/auditd Clearly, auditd is not listening on IPv6. Test scenario is as follows: * on server - listen on port 60, - firewalld is not running, empty iptables * on client - active audit-remote plugin with remote_server set to server hostname, - no firewalld is not running, empty iptables - server hostname mapped to its global ipv6 address in /etc/hosts - nsswitch configured to check /etc/hosts only With IPv4 address set to server hostname in /etc/hosts it works just fine. But with IPv6 connection is dropped by server.
strange, it worked when I tested it. But clearly something is wrong. Upstream commit 659bfd3 makes the server bind to :::*.
audit-2.8.1-2.el7 was built to fix the issue in #c15.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0760