IPV6 failing after 4 hours on OpenSuse 15.6 server at OVH

English Network/Internet
41

Except your example clearly demonstrates that no audit records have been generated for this file access. For the reasons both mentioned in man auditctl or described here

It is not necessary, auditctl changes are applied immediately.

/sbin/auditctl -R/etc/audit/audit.rules

Using ausearch -i ... should print most information in user-readable form. Maybe it is due to binary NUL character embedded, not sure.

And now read man auditctl and scroll to the DISABLED BY DEFAULT section. You need to remove it from /etc/audit/rules.d/audit.rules or whatever file you use to generate the rules.

42

Unfortunately, the problem happens at boot. For clarity, we discovered that it’s eth0, not all, that is disabled, which is frustrating since eth0 should be playing a passive role in the bridge.

# uptime
 09:49:22  up   0:01,  1 user,  load average: 0.39, 0.50, 0.22

# grep -r . /proc/sys/net/ipv6 2>/dev/null | grep disable_ipv6
/proc/sys/net/ipv6/conf/all/disable_ipv6:0
/proc/sys/net/ipv6/conf/br0/disable_ipv6:0
/proc/sys/net/ipv6/conf/default/disable_ipv6:0
/proc/sys/net/ipv6/conf/eth0/disable_ipv6:1
/proc/sys/net/ipv6/conf/eth1/disable_ipv6:0
/proc/sys/net/ipv6/conf/eth2/disable_ipv6:0
/proc/sys/net/ipv6/conf/eth3/disable_ipv6:0
/proc/sys/net/ipv6/conf/lo/disable_ipv6:0
/proc/sys/net/ipv6/conf/usb0/disable_ipv6:0
/proc/sys/net/ipv6/conf/vif2.0/disable_ipv6:0
/proc/sys/net/ipv6/conf/vif3.0/disable_ipv6:0

Okay, made those changes, my audit.rules (auto-generated) file looks like this:

# cat audit.rules

## This file is automatically generated from /etc/audit/rules.d

-w /proc/sys/net/ipv6/conf/all/disable_ipv6 -p warx -k monitor-ipv6-all
-w /proc/sys/net/ipv6/conf/br0/disable_ipv6 -p warx -k monitor-ipv6-br0
-w /proc/sys/net/ipv6/conf/default/disable_ipv6 -p warx -k monitor-ipv6-default
-w /proc/sys/net/ipv6/conf/eth0/disable_ipv6 -p warx -k monitor-ipv6-eth0
-w /proc/sys/net/ipv6/conf/lo/disable_ipv6 -p warx -k monitor-ipv6-lo

However, there is still this:

 # auditctl -l
No rules

and the rules are still being removed right after being added:

----
type=CONFIG_CHANGE msg=audit(05/01/25 10:01:34.303:18) : auid=unset ses=4294967295op=remove_rule path=/proc/sys/net/ipv6/conf/all/disable_ipv6 key=monitor-ipv6-all list=exit res=yes

As another attempt, I added the manual rule to my network config script, before anything else fires up. But, alas, although the rule stayed this time, nothing was captured.

Here’s where the script added the rule:

# ausearch -ts today -k monitor-ipv6 -i
----
type=PROCTITLE msg=audit(05/01/25 10:01:55.993:96) : proctitle=auditctl -w /proc/sys/net/ipv6/conf/eth0/disable_ipv6 -p warx -k monitor-ipv6-eth0
type=PATH msg=audit(05/01/25 10:01:55.993:96) : item=0 name=/proc/sys/net/ipv6/conf/eth0/ inode=25236 dev=00:11 mode=dir,555 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/01/25 10:01:55.993:96) : cwd=/
type=SOCKADDR msg=audit(05/01/25 10:01:55.993:96) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(05/01/25 10:01:55.993:96) : arch=x86_64 syscall=sendto success=yes exit=1116 a0=0x4 a1=0x7fff2075b3b0 a2=0x45c a3=0x0 items=1 ppid=1895 pid=2030 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=auditctl exe=/usr/sbin/auditctl key=(null)
type=CONFIG_CHANGE msg=audit(05/01/25 10:01:55.993:96) : auid=unset ses=unset op=add_rule key=monitor-ipv6-eth0 list=exit res=yes

and the only other output is when I ran the grep command:

----
type=PROCTITLE msg=audit(05/01/25 10:06:26.616:307) : proctitle=grep --color=auto -r . /proc/sys/net/ipv6
type=PATH msg=audit(05/01/25 10:06:26.616:307) : item=0 name=disable_ipv6 inode=25237 dev=00:11 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/01/25 10:06:26.616:307) : cwd=/root
type=SYSCALL msg=audit(05/01/25 10:06:26.616:307) : arch=x86_64 syscall=openat success=yes exit=3 a0=0x6 a1=0x555873987148 a2=O_RDONLY|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW a3=0x0 items=1 ppid=9475 pid=15268 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts3 ses=3 comm=grep exe=/usr/bin/grep key=monitor-ipv6-eth0

I suspect that it’s taking audit a cycle or to to “warm up” because even when my recycle script runs immediately after the rule add, the change is not captured.

So whatever happens is happening before that.

I’ve rechecked the tree in /etc/sysconfig/network, but found nothing obvious there.

The net effect of this is that with eth0/disable_ipv6 set to 1 - at or during boot - somehow - it’s only a matter of time until things die.

Glen

43

See what @arvidjaar wrote above, auditctl does not work for “files” in /proc/sys/net/.

I did initially think it did work but the message ausearch shows is a message indicating the rule was added, reading the file did not trigger a log message in ausearch.

44

Where did I say it?

10:~ # auditctl -d never,task
10:~ # auditctl -w /proc/sys/net/ipv6/conf/all/disable_ipv6 -p warx -k test-audit
10:~ # cat /proc/sys/net/ipv6/conf/all/disable_ipv6
0
10:~ # ausearch -ts recent -m ALL -i -k test-audit
----
type=PROCTITLE msg=audit(05/02/25 09:51:42.155:249) : proctitle=auditctl -w /proc/sys/net/ipv6/conf/all/disable_ipv6 -p warx -k test-audit 
type=PATH msg=audit(05/02/25 09:51:42.155:249) : item=0 name=/proc/sys/net/ipv6/conf/all/ inode=12492 dev=00:14 mode=dir,555 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/02/25 09:51:42.155:249) : cwd=/root 
type=SOCKADDR msg=audit(05/02/25 09:51:42.155:249) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(05/02/25 09:51:42.155:249) : arch=x86_64 syscall=sendto success=yes exit=1108 a0=0x4 a1=0x7fff0ebac040 a2=0x454 a3=0x0 items=1 ppid=1496 pid=2456 auid=bor uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=2 comm=auditctl exe=/usr/sbin/auditctl subj=unconfined key=(null) 
type=CONFIG_CHANGE msg=audit(05/02/25 09:51:42.155:249) : auid=bor ses=2 subj=unconfined op=add_rule key=test-audit list=exit res=yes 
----
type=PROCTITLE msg=audit(05/02/25 09:51:50.031:250) : proctitle=cat /proc/sys/net/ipv6/conf/all/disable_ipv6 
type=PATH msg=audit(05/02/25 09:51:50.031:250) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=12497 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/02/25 09:51:50.031:250) : cwd=/root 
type=SYSCALL msg=audit(05/02/25 09:51:50.031:250) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7ffd4056e818 a2=O_RDONLY a3=0x0 items=1 ppid=1496 pid=3744 auid=bor uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=2 comm=cat exe=/usr/bin/cat subj=unconfined key=test-audit 
10:~ #
1 Like
45

Okay, should have read further then the first sentence, indeed you do not get output (apart for a message about adding the rule) for:

> sudo auditctl -l
-a never,task
46

Thank you both for your resposes!

Just for clarity, in my situation:

  1. When I added the rules to rules.d/glen.rules, the rules did seem to persist across a reboot, and they did get loaded, but even after I removed all the other stuff, my rules still got unloaded immediately after getting loaded.
  2. When I added a manual rule to my startup script, that rule did get loaded, and it did not get unloaded (it did stay active) - and my subsequent cat of the proc/sys/net file did get logged - I did the cat twice and it did get logged both times, so the rule was active and producing output. The problem is that using this method didn’t produce any other output, which apparently indicates that whatever is happening is happening before my manual rule load runs.

So, neither method produced any results that could be informative here. I am absolutely happy to try anything else anyone wants me to try to shed further light on this - just tell me what you want and I’ll do it!

Glen

1 Like
47

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.