[rsbac] creating secoff and logging to rsyslog, was: rsbac_init goes RSBAC_EINVALIDREQUEST with devicemapper

Palon Setin palons at danwin1210.me
Thu Dec 6 13:46:00 CET 2018 


Palon Setin:
...
> Jens Kasten:
>> Maybe I was wrong. If you like you can join irc on freenode.org channel
>> rsbac.
> You were. See below (and my other --forwarded (I mis-sent it
> yesterday)-- mail that came to the list some 30 minutes ago).
...
> It was:
> CONFIG_RSBAC_INIT_DELAY=y
> that solved my issue.

That was the previous issue. I'm modifying the subject to reflect my
current issue.

> My current issue is:
> I don't have a secoff, and am unable to find how I am supposed to create
...
> https://wiki.gentoo.org/wiki/RSBAC/Quickstart
...

>> Once emerged, the package will have created a new user account on your
>> system (secoff, with uid 400). He will become the security
>> administrator
...
>> Please set-up a secure password for the secoff user.
...
> And I'd like to set up logging as per:
> 
> https://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/administration_examples/syslog-ng
> 
> except on Debian systems it is rsyslog, not syslog-ng.
...
> How exactly do I create secoff uid 400 ...
> 

I've found the ebuild, it's old but the thing I need to do must be the
same with rsbac-admin-1.5.3:
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/rsbac-admin/rsbac-admin-1.4.8.ebuild

The complete snippet of their code:

pkg_postinst() {
	einfo
"********************************************************************************"
	einfo "You have to add a security user to your system if you have not
already done so."
	einfo "The name could be 'secoff' or 'security' and, if you did not
change the default"
	einfo "uid in the RSBAC kernel configuration, then the following will
work:"
	einfo
	einfo "    groupadd -g 400 security"
	einfo "    useradd -g 400 -u 400 security"
	einfo
	einfo "We suggest you run a separate copy of syslog-ng (for example) to
log RSBAC"
	einfo "messages as user 'audit' (uid 404) instead of using the
deprecated rklogd."
	einfo "See"
	einfo
	einfo "
http://www.rsbac.org/documentation/administration_examples/syslog-ng"
	einfo
	einfo "for more information."
	einfo
"********************************************************************************"
}

So, since I have:
CONFIG_RSBAC_SECOFF_UID=400
in my kernel, I proceed with:

# groupadd -g 400 secoff
# useradd -g 400 -u 400 secoff

And here, the tail -1 of /etc/{passwd,group} after I issued the above:

# tail -1 /etc/group
secoff:x:400:
# tail -1 /etc/passwd
secoff:x:400:400::/home/secoff:/bin/sh
#

Pls. do correct me if I'm not doing it right.

And now I go and try to figure out how to do the logging as per the link
to _examples/syslog-ng converted for rsyslog in Debians.

That part may not be easy...

Palon Setin

More information about the rsbac mailing list