sealert not being triggered by avc denials

Support for security such as Firewalls and securing linux
Post Reply
rkoppelh
Posts: 25
Joined: 2015/01/27 03:13:14
Location: Newcastle, NSW, Australia

sealert not being triggered by avc denials

Post by rkoppelh » 2019/06/26 04:13:04

Recenty been reinstalling clamav and as a result I found in /var/log/messages AVC denials to relevant files. I thought this was curious because sealert notification was not occuring.

Attempted to sealert -a /var/log/audit/audit.log but as a result I discovered /var/log/audit/audit.log has not been update since 1/1/2019.

Need help identfying why sealert not triggered by avc denials in message log while audit.logs stopped since 1/1/2019. Need help trying to get working again. Following man's so far hasn't helped particularly that I can't start auditd.service. Don't know if there a bug or me. Likely me. :(

Checked
$ sudo systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2019-06-14 12:30:22 AEST; 1 weeks 5 days ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation

Jun 14 12:30:22 earth systemd[1]: Starting Security Auditing Service...
Jun 14 12:30:22 earth auditd[9624]: Started dispatcher: /sbin/audispd pid: 9626
Jun 14 12:30:22 earth auditd[9624]: Cannot resolve hostname earth (Temporary failure in name resolution)
Jun 14 12:30:22 earth auditd[9624]: The audit daemon is exiting.
Jun 14 12:30:22 earth systemd[1]: auditd.service: control process exited, code=exited status=1
Jun 14 12:30:22 earth systemd[1]: Failed to start Security Auditing Service.
Jun 14 12:30:22 earth systemd[1]: Unit auditd.service entered failed state.
Jun 14 12:30:22 earth systemd[1]: auditd.service failed.

[robertk@earth:~]$ sudo aureport --summary

Summary Report
======================
Range of time in logs: 01/01/70 10:00:00.000 - 01/01/19 17:33:44.131 (NOTE DATE)
Selected time for report: 01/01/70 10:00:00 - 01/01/19 17:33:44.131
Number of changes in configuration: 1189
Number of changes to accounts, groups, or roles: 29
Number of logins: 11
Number of failed logins: 4
Number of authentications: 105
Number of failed authentications: 9
Number of users: 5
Number of terminals: 20
Number of host names: 6
Number of executables: 27
Number of commands: 20
Number of files: 0
Number of AVC's: 0
Number of MAC events: 43
Number of failed syscalls: 0
Number of anomaly events: 17
Number of responses to anomaly events: 0
Number of crypto events: 72
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 1995
Number of events: 12142


[robertk@earth:~]$ sudo sealert -l /var/log/audit/audit.log
Error
query_alerts error (1003): id (/var/log/audit/audit.log) not found

[robertk@earth:~]$ sudo sealert -l /var/log/audit/audit.log
Error
query_alerts error (1003): id (/var/log/audit/audit.log) not found

[robertk@earth:~]$ sudo sealert -l /var/log/audit/audit.log.1
Error
query_alerts error (1003): id (/var/log/audit/audit.log.1) not found

[robertk@earth:~]$ sudo sealert -a /var/log/audit/audit.log.1
100% done
found 0 alerts in /var/log/audit/audit.log.1

[robertk@earth:~]$ sudo sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log

[robertk@earth:~]$ ls -lZ /var/log/audit
ls: cannot open directory /var/log/audit: Permission denied

[robertk@earth:~]$ sudo ls -lZ /var/log/audit
[sudo] password for robertk:
-rw-------. root root system_u:object_r:auditd_log_t:s0 audit.log
-r--------. root root system_u:object_r:auditd_log_t:s0 audit.log.1
-r--------. root root system_u:object_r:auditd_log_t:s0 audit.log.2
-r--------. root root system_u:object_r:auditd_log_t:s0 audit.log.3
-r--------. root root system_u:object_r:auditd_log_t:s0 audit.log.4
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found

[robertk@earth:~]$ sudo ls -l /var/log/audit
total 48636
-rw-------. 1 root root 7803269 Jan 1 17:33 audit.log
-r--------. 1 root root 10485794 Dec 31 10:18 audit.log.1
-r--------. 1 root root 10485766 Dec 28 15:06 audit.log.2
-r--------. 1 root root 10485835 Dec 27 15:42 audit.log.3
-r--------. 1 root root 10485828 Dec 26 10:56 audit.log.4
drwx------. 2 root root 16384 Jul 19 2016 lost+found

$ cat /var/log/messages (excerpt)

Jun 25 22:00:25 earth clamd: LibClamAV debug: 1: [436f6e74656e7454797065203d20676574537472696e67284d696442285265717565737442696e2c506f734265672c506f73456e642d506f734265672929] [*] [fa]
Jun 25 22:00:25 earth clamd: LibClamAV debug: load_oneyara: successfully loaded YARA.webshell_asp_up
Jun 25 22:00:25 earth clamd: LibClamAV debug: load_oneyara: attempting to load webshell_phpkit_0_1a_odd
Jun 25 22:00:25 earth clamd: LibClamAV debug: load_oneyara: generic string: [include('php://input');] => [696e636c75646528277068703a2f2f696e70757427293b]
Jun 25 22:00:25 earth clamd: LibClamAV debug: STRING_IS_ASCII yes
Jun 25 22:00:25 earth clamd: LibClamAV debug: STRING_IS_FULL_WORD yes
Jun 25 22:00:25 earth clamd: LibClamAV debug: load_oneyara: generic string: [ini_set('allow_url_include, 1'); // Allow url inclusion in this script] => [696e695f7365742827616c6c6f775f75726c5f696e636c7564652c203127293b202f2f20416c6c6f772075726c20696e636c7573696f6e20696e207468697320736372697074]
Jun 25 22:00:25 earth clamd: LibClamAV debug: STRING_IS_ASCII yes
Jun 25 22:00:25 earth clamd: LibClamAV debug: STRING_IS_FULL_WORD yes
Jun 25 22:00:26 earth kernel: type=1400 audit(1561464026.278:401): avc: denied { create } for pid=58815 comm="clamd" name="clamd.<SERVICE>" scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
Jun 25 22:00:26 earth systemd: clamd@scan.service: control process exited, code=exited status=1
Jun 25 22:00:26 earth systemd: Failed to start Generic clamav scanner daemon.
Jun 25 22:00:26 earth systemd: Unit clamd@scan.service entered failed state.
Jun 25 22:00:26 earth systemd: clamd@scan.service failed.
Jun 25 22:00:26 earth systemd: clamd@scan.service holdoff time over, scheduling restart.
Jun 25 22:00:26 earth systemd: Stopped Generic clamav scanner daemon.
Jun 25 22:00:26 earth systemd: Starting Generic clamav scanner daemon...

Jun 25 22:00:39 earth journal: Suppressed 10794 messages from /system.slice/system-clamd.slice
Jun 25 22:00:39 earth clamd: LibClamAV debug: daily.ldb loaded
Jun 25 22:00:39 earth clamd: LibClamAV debug: in cli_tgzload_cleanup()
Jun 25 22:00:39 earth clamd: LibClamAV debug: /usr/local/share/clamav/daily.cld loaded
Jun 25 22:00:39 earth clamd: LibClamAV debug: in cli_cvdload()
Jun 25 22:00:40 earth clamd: LibClamAV debug: MD5(.tar.gz) = 57462fd73f1cfdb356b9dca66da2b732
Jun 25 22:00:40 earth clamd: LibClamAV debug: cli_versig: Decoded signature: 57462fd73f1cfdb356b9dca66da2b732
Jun 25 22:00:40 earth clamd: LibClamAV debug: cli_versig: Digital signature is correct.
Jun 25 22:00:40 earth clamd: LibClamAV debug: in cli_tgzload()
Jun 25 22:00:40 earth clamd: LibClamAV debug: main.info loaded
Jun 25 22:00:40 earth clamd: LibClamAV debug: in cli_tgzload_cleanup()
Jun 25 22:00:40 earth clamd: LibClamAV debug: in cli_tgzload()

However audit log not picking this up because auditd.service will not start.

My auditd.conf after thinking the issue was using name_type=fdq not resolving and tried name_type= hostname and none
#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
# max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd

# RK - 12/7/2016 Enabled hostname name_format insertion into event stream audit event
# RK - 26/6/2019 auditd has not been running since 12/7/2016 use of fqd does not reslve
# fully qualifies hostname causing deamon to fail per
#
# #>systemctl status auditd.service
# auditd.service - Security Auditing Service
# Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
# Active: failed (Result: exit-code) since Fri 2019-06-14 12:30:22 AEST; 1 weeks 4 days ago
# Docs: man:auditd(8)
# https://github.com/linux-audit/audit-documentation
#
# Jun 14 12:30:22 earth systemd[1]: Starting Security Auditing Service...
# Jun 14 12:30:22 earth auditd[9624]: Started dispatcher: /sbin/audispd pid: 9626
# Jun 14 12:30:22 earth auditd[9624]: Cannot resolve hostname earth (Temporary failure in name resolution)
# Jun 14 12:30:22 earth auditd[9624]: The audit daemon is exiting.
# Jun 14 12:30:22 earth systemd[1]: auditd.service: control process exited, code=exited status=1
# Jun 14 12:30:22 earth systemd[1]: Failed to start Security Auditing Service.
# Jun 14 12:30:22 earth systemd[1]: Unit auditd.service entered failed state.
# Jun 14 12:30:22 earth systemd[1]: auditd.service failed.
## From man audtid.conf
## name_format
## This option controls how computer node names are inserted into the audit event stream. It has the following
## choices: none, hostname, fqd, numeric, and user. None means that no computer name is inserted into the
## audit event. hostname is the name returned by the gethostname syscall. The fqd means that it takes the
## hostname and resolves it with dns for a fully qualified domain name of that machine. Numeric is similar to
## fqd except it resolves the IP address of the machine. In order to use this option, you might want to test that
## 'hostname -i' or 'domainname -i' returns a numeric address. Also, this option is not recommended if dhcp is
## used because you could have different addresses over time for the same machine. User is an admin defined
## string from the name option. The default value is none.
#(default) name = none
# name_format = fqd (not not resolve and caused auditd to fail to start)
# RK changed due to above to
# RK still getting above so changed to
#name_format = hostname
name_format = none

## This is the admin defined string that identifies the machine if user is given as the name_format option.
## name = ADMIN_DEFINED_STRING (=mydomain)


#RK - 12/7/2016 increased from 6 (default) to 10 Mbytes size
max_log_file = 10

max_log_file_action = ROTATE

#RK - 12/7/2016 increased from 75 (default) to 100 Mbytes size
space_left = 100

space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

But manual start of auditd.service still fails possibly because I can't manually start it.
i.e.

$ sudo systemctl restart auditd.service
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.

[robertk@earth:~]$ sudo systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2019-06-14 12:30:22 AEST; 1 weeks 4 days ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation

Jun 14 12:30:22 earth systemd[1]: Starting Security Auditing Service...
Jun 14 12:30:22 earth auditd[9624]: Started dispatcher: /sbin/audispd pid: 9626
Jun 14 12:30:22 earth auditd[9624]: Cannot resolve hostname earth (Temporary failure in name resolution)
Jun 14 12:30:22 earth auditd[9624]: The audit daemon is exiting.
Jun 14 12:30:22 earth systemd[1]: auditd.service: control process exited, code=exited status=1
Jun 14 12:30:22 earth systemd[1]: Failed to start Security Auditing Service.
Jun 14 12:30:22 earth systemd[1]: Unit auditd.service entered failed state.
Jun 14 12:30:22 earth systemd[1]: auditd.service failed.

Current other relevant files:
auditd.rules:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page


settroubleshoot.conf
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation

[Service]
Type=forking
PIDFile=/var/run/auditd.pid
ExecStart=/sbin/auditd
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules

[Install]
WantedBy=multi-user.target


audit-stop.rules
# These rules are loaded when the audit daemon stops
# if configured to do so.

# Disable auditing
-e 0

# Delete all rules
-D

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: sealert not being triggered by avc denials

Post by TrevorH » 2019/06/26 06:33:16

I've copied your auditd.conf to a VM and restarted auditd using it and it all seems to be syntax error free. What happens if you edit /etc/resolv.conf and add a line there to ensure that "earth" is resolved to an ip address? What is the output from rpm -V audit ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rkoppelh
Posts: 25
Joined: 2015/01/27 03:13:14
Location: Newcastle, NSW, Australia

Re: sealert not being triggered by avc denials

Post by rkoppelh » 2019/06/27 08:50:11

Hi thank you for looking into this ...

Unbelievable all started cause I've had a memory module failure. So before opening up server wanted to do a full backup. So I've ended up with a swiss cheese problem that leads to airplane crashes.

DIMM failure -> OS degrade operation -> install duplicity (had backintime no longer working/supported) -> clamav install to clean before backup -> AVC denials ( fixed manually) -> failed sealaert -> failed auditd.service -> name resolution issues -> network issue ... arrrgh ^&(^^U&? :cry:

How hard can a backup be :?:

Checking your request was interesting because around December last year I replaced my Billion WIFI router that died with an ASUS that I was configuring in late December with 1/1/19 being my last audit.log. Interesting ... never would have thought of a relationship to audit/SELinux/sealert here. Note /etc/resolv.conf.TJI5SY dated 29/12/2018. Also around the same time was nucking around setting up a VNC server remote login for my son, a project not finished since he no longer needed it. So was messing around since I had never done this before. BUt as I said unfinished. The relationship however is NOW clear.

[robertk@earth:~]$ sudo rpm -V audit
S.5....T. c /etc/audit/auditd.conf
.M....... c /etc/audit/rules.d/audit.rules

[robertk@earth:~]$ sudo sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

[robertk@earth:~]$ ls -lZ /etc/resolv*
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf.4ZCRWZ
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf.TJI5SY
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf.Y4OCTY

[robertk@earth:~]$ ls -l /etc/resolv*
-rw-r--r--. 1 root root 72 Jun 14 18:07 /etc/resolv.conf
-rw-r--r--. 1 root root 30 Jan 31 06:52 /etc/resolv.conf.4ZCRWZ
-rw-r--r--. 1 root root 75 Dec 29 2016 /etc/resolv.conf.TJI5SY
-rw-r--r--. 1 root root 75 Dec 29 2016 /etc/resolv.conf.Y4OCTY

[robertk@earth:~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search somename
nameserver 192.168.1.254

[robertk@earth:~]$ cat /etc/resolv.conf.4ZCRWZ
# Generated by NetworkManager

[robertk@earth:~]$ cat /etc/resolv.conf.TJI5SY
# Generated by NetworkManager
search home.gateway
nameserver 192.168.1.254

[robertk@earth:~]$ cat /etc/resolv.conf.Y4OCTY
# Generated by NetworkManager
search home.gateway
nameserver 192.168.1.254
:idea:

[robertk@earth:~]$ ping somename
ping: somename: Name or service not known

[robertk@earth:~]$ ping home.gateway
ping: home.gateway: Temporary failure in name resolution

[robertk@earth:~]$ ping earth
PING earth.fk-family (192.168.1.128) 56(84) bytes of data.
64 bytes from earth.somename (192.168.1.128): icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from earth.somename (192.168.1.128): icmp_seq=2 ttl=64 time=0.099 ms
64 bytes from earth.somename (192.168.1.128): icmp_seq=3 ttl=64 time=0.073 ms
64 bytes from earth.somename (192.168.1.128): icmp_seq=4 ttl=64 time=0.090 ms
^C
--- earth.fk-family ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.050/0.078/0.099/0.018 ms

[robertk@earth:~]$ ping venus
PING venus.somename (192.168.1.143) 56(84) bytes of data.

Venus is currently turned off.


Note: My old router used to be home.gateway (192.168.1.254) on the network and it like new one served the dhcp and dns forward. With new wifi-router I've attempted to rename it to fk-family with new router because my sons VPN connection would be going through his so wanted meaningful unique name when doing network traces. But I think I've cocked up by the looks here. Networking has never been my strong suit.

[robertk@earth:~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

[robertk@earth:~]$ sudo cat /etc/hostname
earth

[robertk@earth:~]$ cat /etc/host.conf
multi on

[robertk@earth:~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

[robertk@earth:~]$ hostname -A
earth.somename

[robertk@earth:~]$ hostname -d
somename

[robertk@earth:~]$ hostname -f
earth.somename

[robertk@earth:~]$ hostname -i
192.168.1.128

[robertk@earth:~]$ hostname -s
earth

[robertk@earth:~]$ hostname -y
hostname: Local domain name not set

[robertk@earth:~]$ sudo cat /etc/hostname
earth

[robertk@earth:~]$ host earth
earth.somename has address 192.168.1.128

[robertk@earth:~]$ host somename
Host somename not found: 3(NXDOMAIN)

[robertk@earth:~]$ host router.asus.com
router.asus.com has address 192.168.1.254

[robertk@earth:~]$ host 192.168.1.254
254.1.168.192.in-addr.arpa domain name pointer router.asus.com.

[robertk@earth:~]$ host localhost
localhost.somename has address 127.0.0.1


[robertk@earth:~]$ dig earth

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> earth
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58018
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;earth. IN A

;; ANSWER SECTION:
earth. 0 IN A 192.168.1.128

;; Query time: 2 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 16:55:05 AEST 2019
;; MSG SIZE rcvd: 50

[robertk@earth:~]$ dig @192.168.1.254 earth.fk-family

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @192.168.1.254 earth.fk-family
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15932
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;earth.somename. IN A

;; ANSWER SECTION:
earth.fk-family. 0 IN A 192.168.1.128

;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 17:59:41 AEST 2019
;; MSG SIZE rcvd: 60


[robertk@earth:~]$ dig @192.168.1.254 earth

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @192.168.1.254 earth
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45470
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;earth. IN A

;; ANSWER SECTION:
earth. 0 IN A 192.168.1.128

;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 17:59:53 AEST 2019
;; MSG SIZE rcvd: 50


[robertk@earth:~]$ dig @192.168.1.254 localhost

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @192.168.1.254 localhost
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24394
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;localhost. IN A

;; ANSWER SECTION:
localhost. 0 IN A 127.0.0.1

;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 18:00:03 AEST 2019
;; MSG SIZE rcvd: 54


[robertk@earth:~]$ dig @192.168.1.254 venus

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @192.168.1.254 venus
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51480
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;venus. IN A

;; ANSWER SECTION:
venus. 0 IN A 192.168.1.143

;; Query time: 1 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 18:00:23 AEST 2019
;; MSG SIZE rcvd: 50


[robertk@earth:~]$ dig @192.168.1.254 dns.google

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @192.168.1.254 dns.google
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29116
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.google. IN A

;; ANSWER SECTION:
dns.google. 68 IN A 8.8.4.4
dns.google. 68 IN A 8.8.8.8

;; Query time: 30 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 18:01:19 AEST 2019
;; MSG SIZE rcvd: 71


[robertk@earth:~]$ dig @192.168.1.254 www.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @192.168.1.254 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19249
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 121 IN A 216.58.199.36

;; Query time: 30 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 18:01:30 AEST 2019
;; MSG SIZE rcvd: 59


[robertk@earth:~]$ dig @router.asus.com www.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @router.asus.com www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55967
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 101 IN A 216.58.199.36

;; Query time: 0 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 18:01:51 AEST 2019
;; MSG SIZE rcvd: 59


[robertk@earth:~]$ dig @router.asus.com earth

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @router.asus.com earth
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45860
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;earth. IN A

;; ANSWER SECTION:
earth. 0 IN A 192.168.1.128

;; Query time: 0 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Jun 27 18:02:01 AEST 2019
;; MSG SIZE rcvd: 50


Name resolution appears to be working? But noted from RH and Centos sites since last year there have been issues re temporary resolution failures.

Not familiar with resolv. conf. I though its auto generated by networkmanager - so should one touch it?

So am guessing that I should change in resolv.conf by replacing somename with router.asus.com that ldeads to the router? Not sure what I am doing here to resolve the earth name.

My preference if this is some network problem (probably self created in December January) my priority is bring down this workstation which needs immediate backup so I can investigate the failed dimm problem and replace. Network config fixes can come latter. At least I now know that sealert is not working so I will keep a closer eye out in logs re avc denial until resolved.

Post Reply