Red Hat Bugzilla – Bug 1455598
Default port is wrong in audisp-remote.conf
Last modified: 2018-04-10 08:20:11 EDT
Description of problem: The default audisp-remote.conf file uses port 60 as the default. However, /etc/services has port 48 listed for auditd. It makes sense to use this port as the default. Version-Release number of selected component (if applicable): 2.6.5 How reproducible: always Steps to Reproduce: 1. grep port /etc/audisp/audisp-remote.conf 2. grep auditd /etc/services 3. Actual results: Expected results: Additional info:
If you use 48, then you are supposed to adhere to the defined a protocol for that port. I have no idea what the traffic on port 48 looked like when digital was still alive. What we did was use port 60 which IANA lists as unassigned. This is in both client and server and in the selinux policy. Maybe at some point I'll apply for the port 60 assignment. I'm not really inclined to change the number without a whole lot more digging into it.
Ok. It was confusing because there was no default set for tcp_listen_port, and /etc/services had port 48. Also, there was nothing specified in the man-pages, that I could find. So it would be good if the documentation were updated to reflect this, and perhaps /etc/services updated as well.
The fix would be to put a default port in auditd.conf and add a firewalld config file.
This should be fixed by upstream commit dd0fdc9 which is scheduled for audit-2.8.
(In reply to Steve Grubb from comment #4) > The fix would be to put a default port in auditd.conf and add a firewalld > config file. Steve, could you explain more that firewalld config file? Is is tracked somewhere? Is it actually needed? Anyone using firewalld and network communication should keep track of what ports needs to be opened himself.
It needs an audit.xml file like this: <?xml version="1.0" encoding="utf-8"?> <service> <short>Audit</short> <description>The Linux Audit subsystem is used to log security events. Enable this option, if you plan to aggregate audit events to/from a remote server/client.</description> <port protocol="tcp" port="60"/> </service> Not sure if audit should own this is firewalld. This is not a major problem. It just makes things more clear what is intended.
audit-2.8-1.el7 was built to resolve this issue.
(In reply to Steve Grubb from comment #7) > It needs an audit.xml file like this: > > <?xml version="1.0" encoding="utf-8"?> > <service> > <short>Audit</short> > <description>The Linux Audit subsystem is used to log security events. > Enable this option, if you plan to aggregate audit events to/from a remote > server/client.</description> > <port protocol="tcp" port="60"/> > </service> > > Not sure if audit should own this is firewalld. This is not a major problem. > It just makes things more clear what is intended. Ah, I see. AFAIK firewalld owns these files and hence I filed BZ#1509255.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0760