rsyslog : imudp: Could not create udp listener about hardening HOT 18 CLOSED

Hi, I found when problem is appearing. One of the apparmor profiles prevent to create UDP socket of the rsyslog. It happend in f_aa_enforce() function.

from hardening.

I think you can add it better than me.

from hardening.

If you can send a reply to mail: [email protected] I am very grateful

from hardening.

Hi @GordonSasha, it seems to be a permission issue (create UDP socket bound to device failed: Operation not permitted, are you restarting the service using sudo?) but without additional logs I'll have a hard time helping out.

~$ lsb_release -d && logger --udp --server 10.7.8.48 "ISSUE97"
Description:    Ubuntu 20.04.3 LTS
~$ lsb_release -d && sudo grep ISSUE /var/log/syslog 
Description:    Ubuntu Impish Indri (development branch)
Aug 26 10:27:35 focal vagrant ISSUE97

Since you also working with routing etc syslog message -->|--> eth0 -----> use imudp ---> eth1 ----|--> syslogserver, this issue is out-of-scope for this project.

from hardening.

In general, this can be referred to as routing log messages. But in fact rsyslog does not receive messages because it cannot load the plugin. I have attached the log file of a running rsyslog in the debug module. You can see the problem (line 2174 ...). The same configuration works correctly on the device without hardening, so I think one (or more) of the hardening steps affects rsyslog. Retranslating syslog messages are not uncommon. I sure, if you will want, you can simple repeir the problem.
If you need an additional information - let me know.
Big thanks
#~~~~~~~~~~~~~~~~ from line 2174
6849.677339702:main thread : ratelimit.c: ratelimit:imuxsock:new ratelimiter:bReduceRepeatMsgs 1
6849.677461450:main thread : errmsg.c: Called LogMsg, msg: cannot create '/run/systemd/journal/syslog'
6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ]
imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4).
6849.678023396:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imklog
6849.678070038:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imudp
6849.678087079:main thread : imudp.c: Trying to open syslog UDP ports at *:514.
6849.678430655:main thread : errmsg.c: Called LogMsg, msg: create UDP socket bound to device failed
6849.678449122:main thread : operatingstate.c: osf: MSG create UDP socket bound to device failed: rsyslogd: create UDP socket bound to device failed: Operation not permitted [v8.2001.0]
Called LogMsg, msg: create UDP socket bound to device failed
#~~~~~~~~~~~~~~~
rsyslog_imudp.log

from hardening.

6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ]
imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4).

Address already in use, is there another instance of rsyslog running on port 514 already?

from hardening.

No, anyone don't listen on the 514.

from hardening.

sudo netstat -tulpn | grep LISTEN
[sudo] password for tfence:
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 643/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 719/sshd: /usr/sbin
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1357/master
tcp 0 0 127.0.0.1:7883 0.0.0.0:* LISTEN 678/mosquitto
tcp6 0 0 :::22 :::* LISTEN 719/sshd: /usr/sbin
tcp6 0 0 ::1:25 :::* LISTEN 1357/master

from hardening.

netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.53:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 localhost:7883 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 ip6-localhost:smtp [::]:* LISTEN
udp 0 0 127.0.0.53:domain 0.0.0.0:*
udp 0 0 172.16.1.52:ntp 0.0.0.0:*
udp 0 0 10.0.0.2:ntp 0.0.0.0:*
udp 0 0 localhost:ntp 0.0.0.0:*
udp 0 0 0.0.0.0:ntp 0.0.0.0:*
udp 0 0 10.0.0.255:51101 0.0.0.0:*
udp 0 0 10.0.0.255:51102 0.0.0.0:*
udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:*
udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
raw6 0 0 [::]:ipv6-icmp [::]:* 7
raw6 0 0 [::]:ipv6-icmp [::]:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] SEQPACKET LISTENING 18231 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 56071 /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 56076 /run/user/1000/bus
unix 2 [ ACC ] STREAM LISTENING 56077 /run/user/1000/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 56078 /run/user/1000/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 56079 /run/user/1000/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 18213 @/org/kernel/linux/storage/multipathd
unix 2 [ ACC ] STREAM LISTENING 56080 /run/user/1000/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 56081 /run/user/1000/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 56082 /run/user/1000/pk-debconf-socket
unix 2 [ ACC ] STREAM LISTENING 28078 @USBGuard@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
unix 2 [ ACC ] STREAM LISTENING 30817 public/pickup
unix 2 [ ACC ] STREAM LISTENING 30821 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 30824 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 30828 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 30831 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 30834 private/bounce
unix 2 [ ACC ] STREAM LISTENING 30837 private/defer
unix 2 [ ACC ] STREAM LISTENING 30840 private/trace
unix 2 [ ACC ] STREAM LISTENING 30843 private/verify
unix 2 [ ACC ] STREAM LISTENING 30846 public/flush
unix 2 [ ACC ] STREAM LISTENING 30849 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 30852 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 30855 private/smtp
unix 2 [ ACC ] STREAM LISTENING 30858 private/relay
unix 2 [ ACC ] STREAM LISTENING 30861 public/showq
unix 2 [ ACC ] STREAM LISTENING 30864 private/error
unix 2 [ ACC ] STREAM LISTENING 30867 private/retry
unix 2 [ ACC ] STREAM LISTENING 30870 private/discard
unix 2 [ ACC ] STREAM LISTENING 30873 private/local
unix 2 [ ACC ] STREAM LISTENING 30876 private/virtual
unix 2 [ ACC ] STREAM LISTENING 30879 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 30882 private/anvil
unix 2 [ ACC ] STREAM LISTENING 30885 private/scache
unix 2 [ ACC ] STREAM LISTENING 30891 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 30894 private/uucp
unix 2 [ ACC ] STREAM LISTENING 30897 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 30900 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 30903 private/scalemail-backend
unix 2 [ ACC ] STREAM LISTENING 30906 private/mailman
unix 2 [ ACC ] STREAM LISTENING 18200 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 18202 /run/systemd/userdb/io.systemd.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 18211 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] SEQPACKET LISTENING 18216 /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 18226 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 15634 /run/systemd/journal/io.systemd.journal
unix 2 [ ACC ] STREAM LISTENING 23484 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 23486 /run/uuidd/request

from hardening.

Can you include you rsyslog configuration so I can test with an exact copy?

from hardening.

Sorry for the delay and silence. I was ill.
At your request,
rsyslog_config.zip
sending you syslog configuration files
Sorry again and thanks in advance

from hardening.

No need to apologise, glad you've gotten better.

I'll have a look at the config as soon as possible.

from hardening.

from hardening.

Check the device setting on ther servers. That one of the reason that error occured.

I also tested and got it working with a rewritten config file.

from hardening.

Sorry for the delay and silence. I was ill.
At your request,
rsyslog_config.zip
sending you syslog configuration files
Sorry again and thanks in advance

from hardening.

the solution is :
echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd

from hardening.

the solution is :
echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd

great catch, i can add that check if you don't want to submit a PR.
pushing upstream?

from hardening.

This issue is stale because it has been open 30 days with no activity, without any activity it will be closed in 5 days.

from hardening.