RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1455598 - Default port is wrong in audisp-remote.conf
Summary: Default port is wrong in audisp-remote.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks: 1476406
TreeView+ depends on / blocked
 
Reported: 2017-05-25 14:47 UTC by David Jones
Modified: 2018-04-10 12:20 UTC (History)
1 user (show)

Fixed In Version: audit-2.8-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 12:18:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0760 0 None None None 2018-04-10 12:20:10 UTC

Description David Jones 2017-05-25 14:47:46 UTC 
Description of problem:
The default audisp-remote.conf file uses port 60 as the default. However, /etc/services has port 48 listed for auditd. It makes sense to use this port as the default.


Version-Release number of selected component (if applicable):
2.6.5

How reproducible:
always

Steps to Reproduce:
1. grep port /etc/audisp/audisp-remote.conf
2. grep auditd /etc/services
3.

Actual results:


Expected results:


Additional info:
Comment 2 Steve Grubb 2017-05-26 17:49:21 UTC 
If you use 48, then you are supposed to adhere to the defined a protocol for that port. I have no idea what the traffic on port 48 looked like when digital was still alive. What we did was use port 60 which IANA lists as unassigned. This is in both client and server and in the selinux policy. Maybe at some point I'll apply for the port 60 assignment. I'm not really inclined to change the number without a whole lot more digging into it.
Comment 3 David Jones 2017-05-26 18:48:11 UTC 
Ok. It was confusing because there was no default set for tcp_listen_port, and /etc/services had port 48. Also, there was nothing specified in the man-pages, that I could find. So it would be good if the documentation were updated to reflect this, and perhaps /etc/services updated as well.
Comment 4 Steve Grubb 2017-07-30 15:58:53 UTC 
The fix would be to put a default port in auditd.conf and add a firewalld config file.
Comment 5 Steve Grubb 2017-09-21 22:01:01 UTC 
This should be fixed by upstream commit dd0fdc9 which is scheduled for audit-2.8.
Comment 6 Ondrej Moriš 2017-10-04 11:26:40 UTC 
(In reply to Steve Grubb from comment #4)
> The fix would be to put a default port in auditd.conf and add a firewalld
> config file.

Steve, could you explain more that firewalld config file? Is is tracked somewhere?    Is it actually needed? Anyone using firewalld and network communication should keep track of what ports needs to be opened himself.
Comment 7 Steve Grubb 2017-10-04 12:49:11 UTC 
It needs an audit.xml file like this:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Audit</short>
  <description>The Linux Audit subsystem is used to log security events. Enable this option, if you plan to aggregate audit events to/from a remote server/client.</description>
  <port protocol="tcp" port="60"/>
</service>

Not sure if audit should own this is firewalld. This is not a major problem. It just makes things more clear what is intended.
Comment 8 Steve Grubb 2017-10-10 20:00:47 UTC 
audit-2.8-1.el7 was built to resolve this issue.
Comment 10 Ondrej Moriš 2017-11-03 12:18:28 UTC 
(In reply to Steve Grubb from comment #7)
> It needs an audit.xml file like this:
> 
> <?xml version="1.0" encoding="utf-8"?>
> <service>
>   <short>Audit</short>
>   <description>The Linux Audit subsystem is used to log security events.
> Enable this option, if you plan to aggregate audit events to/from a remote
> server/client.</description>
>   <port protocol="tcp" port="60"/>
> </service>
> 
> Not sure if audit should own this is firewalld. This is not a major problem.
> It just makes things more clear what is intended.

Ah, I see. AFAIK firewalld owns these files and hence I filed BZ#1509255.
Comment 14 errata-xmlrpc 2018-04-10 12:18:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0760
Note You need to log in before you can comment on or make changes to this bug.