Comments (18)
Hi, I found when problem is appearing. One of the apparmor profiles prevent to create UDP socket of the rsyslog. It happend in f_aa_enforce() function.
from hardening.
I think you can add it better than me.
from hardening.
If you can send a reply to mail: [email protected] I am very grateful
from hardening.
Hi @GordonSasha, it seems to be a permission issue (create UDP socket bound to device failed: Operation not permitted
, are you restarting the service using sudo
?) but without additional logs I'll have a hard time helping out.
~$ lsb_release -d && logger --udp --server 10.7.8.48 "ISSUE97"
Description: Ubuntu 20.04.3 LTS
~$ lsb_release -d && sudo grep ISSUE /var/log/syslog
Description: Ubuntu Impish Indri (development branch)
Aug 26 10:27:35 focal vagrant ISSUE97
Since you also working with routing etc syslog message -->|--> eth0 -----> use imudp ---> eth1 ----|--> syslogserver
, this issue is out-of-scope for this project.
from hardening.
In general, this can be referred to as routing log messages. But in fact rsyslog does not receive messages because it cannot load the plugin. I have attached the log file of a running rsyslog in the debug module. You can see the problem (line 2174 ...). The same configuration works correctly on the device without hardening, so I think one (or more) of the hardening steps affects rsyslog. Retranslating syslog messages are not uncommon. I sure, if you will want, you can simple repeir the problem.
If you need an additional information - let me know.
Big thanks
#~~~~~~~~~~~~~~~~ from line 2174
6849.677339702:main thread : ratelimit.c: ratelimit:imuxsock:new ratelimiter:bReduceRepeatMsgs 1
6849.677461450:main thread : errmsg.c: Called LogMsg, msg: cannot create '/run/systemd/journal/syslog'
6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ]
imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4).
6849.678023396:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imklog
6849.678070038:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imudp
6849.678087079:main thread : imudp.c: Trying to open syslog UDP ports at *:514.
6849.678430655:main thread : errmsg.c: Called LogMsg, msg: create UDP socket bound to device failed
6849.678449122:main thread : operatingstate.c: osf: MSG create UDP socket bound to device failed: rsyslogd: create UDP socket bound to device failed: Operation not permitted [v8.2001.0]
Called LogMsg, msg: create UDP socket bound to device failed
#~~~~~~~~~~~~~~~
rsyslog_imudp.log
from hardening.
6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ]
imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4).
Address already in use
, is there another instance of rsyslog
running on port 514 already?
from hardening.
No, anyone don't listen on the 514.
from hardening.
sudo netstat -tulpn | grep LISTEN
[sudo] password for tfence:
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 643/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 719/sshd: /usr/sbin
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1357/master
tcp 0 0 127.0.0.1:7883 0.0.0.0:* LISTEN 678/mosquitto
tcp6 0 0 :::22 :::* LISTEN 719/sshd: /usr/sbin
tcp6 0 0 ::1:25 :::* LISTEN 1357/master
from hardening.
netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.53:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 localhost:7883 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 ip6-localhost:smtp [::]:* LISTEN
udp 0 0 127.0.0.53:domain 0.0.0.0:*
udp 0 0 172.16.1.52:ntp 0.0.0.0:*
udp 0 0 10.0.0.2:ntp 0.0.0.0:*
udp 0 0 localhost:ntp 0.0.0.0:*
udp 0 0 0.0.0.0:ntp 0.0.0.0:*
udp 0 0 10.0.0.255:51101 0.0.0.0:*
udp 0 0 10.0.0.255:51102 0.0.0.0:*
udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:*
udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
raw6 0 0 [::]:ipv6-icmp [::]:* 7
raw6 0 0 [::]:ipv6-icmp [::]:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] SEQPACKET LISTENING 18231 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 56071 /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 56076 /run/user/1000/bus
unix 2 [ ACC ] STREAM LISTENING 56077 /run/user/1000/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 56078 /run/user/1000/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 56079 /run/user/1000/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 18213 @/org/kernel/linux/storage/multipathd
unix 2 [ ACC ] STREAM LISTENING 56080 /run/user/1000/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 56081 /run/user/1000/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 56082 /run/user/1000/pk-debconf-socket
unix 2 [ ACC ] STREAM LISTENING 28078 @USBGuard@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
unix 2 [ ACC ] STREAM LISTENING 30817 public/pickup
unix 2 [ ACC ] STREAM LISTENING 30821 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 30824 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 30828 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 30831 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 30834 private/bounce
unix 2 [ ACC ] STREAM LISTENING 30837 private/defer
unix 2 [ ACC ] STREAM LISTENING 30840 private/trace
unix 2 [ ACC ] STREAM LISTENING 30843 private/verify
unix 2 [ ACC ] STREAM LISTENING 30846 public/flush
unix 2 [ ACC ] STREAM LISTENING 30849 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 30852 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 30855 private/smtp
unix 2 [ ACC ] STREAM LISTENING 30858 private/relay
unix 2 [ ACC ] STREAM LISTENING 30861 public/showq
unix 2 [ ACC ] STREAM LISTENING 30864 private/error
unix 2 [ ACC ] STREAM LISTENING 30867 private/retry
unix 2 [ ACC ] STREAM LISTENING 30870 private/discard
unix 2 [ ACC ] STREAM LISTENING 30873 private/local
unix 2 [ ACC ] STREAM LISTENING 30876 private/virtual
unix 2 [ ACC ] STREAM LISTENING 30879 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 30882 private/anvil
unix 2 [ ACC ] STREAM LISTENING 30885 private/scache
unix 2 [ ACC ] STREAM LISTENING 30891 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 30894 private/uucp
unix 2 [ ACC ] STREAM LISTENING 30897 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 30900 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 30903 private/scalemail-backend
unix 2 [ ACC ] STREAM LISTENING 30906 private/mailman
unix 2 [ ACC ] STREAM LISTENING 18200 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 18202 /run/systemd/userdb/io.systemd.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 18211 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] SEQPACKET LISTENING 18216 /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 18226 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 15634 /run/systemd/journal/io.systemd.journal
unix 2 [ ACC ] STREAM LISTENING 23484 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 23486 /run/uuidd/request
from hardening.
Can you include you rsyslog configuration so I can test with an exact copy?
from hardening.
Sorry for the delay and silence. I was ill.
At your request,
rsyslog_config.zip
sending you syslog configuration files
Sorry again and thanks in advance
from hardening.
No need to apologise, glad you've gotten better.
I'll have a look at the config as soon as possible.
from hardening.
from hardening.
Check the device
setting on ther servers. That one of the reason that error occured.
I also tested and got it working with a rewritten config file.
from hardening.
Sorry for the delay and silence. I was ill.
At your request,
rsyslog_config.zip
sending you syslog configuration files
Sorry again and thanks in advance
from hardening.
the solution is :
echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd
from hardening.
the solution is :
echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd
great catch, i can add that check if you don't want to submit a PR.
pushing upstream?
from hardening.
This issue is stale because it has been open 30 days with no activity, without any activity it will be closed in 5 days.
from hardening.
Related Issues (20)
- Login Loop HOT 5
- [BUG] Missing `/usr/sbin` in `PATH` results in `acct` log rotation failure in `/etc/cron.daily/acct` HOT 3
- [BUG] logrotate fails with `duplicate log entry for /var/log/{wtmp,btmp}` error HOT 3
- [BUG] HOT 3
- [BUG] fstab gets replaced with only a few lines HOT 3
- jenkins installation issue on linux ec2 HOT 4
- How is this issue related to this repository?
- Question: su: Permision denied HOT 1
- Documentation: functions in documentation does not reflect actual functions in the code HOT 2
- [BUG] run the runTestHosts.sh fails with error HOT 3
- [BUG] IPv6 Error HOT 2
- Increase /var partitions HOT 1
- [BUG] ping not available on minimized 22.04.2 installation. HOT 3
- apt-get update HOT 1
- [BUG] dpkg Errors after Executing the Hardening Script HOT 2
- [BUG] Missing dot HOT 1
- [Question] UFW firewall rules. HOT 1
- Nginx dont show web after hardening HOT 8
- After running the hardening script, we are unable to log in with the root user credentials HOT 8
- git clone is different HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hardening.