[rsbac] Logging besides syslog

Amon Ott ao at rsbac.org
Mon Mar 8 14:37:51 CET 2004


On Montag, 8. März 2004 14:22, Charles Miller wrote:
> I've read in the documentation that there is some kernel level logging 
that 
> takes place when actions are denied by rsbac.  I've seen mention of some 
> circular kernel buffer.  I've noticed these logs in /var/log/messages, 
but 
> wonder where else I can see these logs, as the security officer.  (For 
> example, root can access /var/log/messages, can I have these show up 
> somewhere root can't see them).  Where is this configured in rsbac?  TIA.

You must enable "RSBAC own logging" in kernel config, then the buffer will 
appear as /proc/rsbac-info/rmsg. This logging source is by default only 
accessible for the system roles "security officer" and "auditor", "system 
role" is set for user 400.

You can use the rsbac-klogd from the admin tools to write it all to disk. 
The rklogd will setuid to 400 (or optionally another id) first.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22



More information about the rsbac mailing list