[rsbac] creating secoff and logging to rsyslog, was: rsbac_init goes RSBAC_EINVALIDREQUEST with devicemapper
Palon Setin
palons at danwin1210.me
Thu Dec 6 16:37:00 CET 2018
Palon Setin:
>
>
> Palon Setin:
> ...
>> Jens Kasten:
>>> Maybe I was wrong. If you like you can join irc on freenode.org channel
>>> rsbac.
>> You were. See below (and my other --forwarded (I mis-sent it
>> yesterday)-- mail that came to the list some 30 minutes ago).
> ...
>> It was:
>> CONFIG_RSBAC_INIT_DELAY=y
>> that solved my issue.
>
> That was the previous issue. I'm modifying the subject to reflect my
> current issue.
>
>> My current issue is:
>> I don't have a secoff, and am unable to find how I am supposed to create
> ...
>> https://wiki.gentoo.org/wiki/RSBAC/Quickstart
> ...
>
>>> Once emerged, the package will have created a new user account on your
>>> system (secoff, with uid 400). He will become the security
>>> administrator
> ...
>>> Please set-up a secure password for the secoff user.
> ...
>> And I'd like to set up logging as per:
>>
>> https://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/administration_examples/syslog-ng
>>
>> except on Debian systems it is rsyslog, not syslog-ng.
> ...
>> How exactly do I create secoff uid 400 ...
>>
>
> I've found the ebuild, it's old but the thing I need to do must be the
> same with rsbac-admin-1.5.3:
> https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/rsbac-admin/rsbac-admin-1.4.8.ebuild
>
> The complete snippet of their code:
>
> pkg_postinst() {
> einfo
> "********************************************************************************"
> einfo "You have to add a security user to your system if you have not
> already done so."
> einfo "The name could be 'secoff' or 'security' and, if you did not
> change the default"
> einfo "uid in the RSBAC kernel configuration, then the following will
> work:"
> einfo
> einfo " groupadd -g 400 security"
> einfo " useradd -g 400 -u 400 security"
> einfo
> einfo "We suggest you run a separate copy of syslog-ng (for example) to
> log RSBAC"
> einfo "messages as user 'audit' (uid 404) instead of using the
> deprecated rklogd."
> einfo "See"
> einfo
> einfo "
> http://www.rsbac.org/documentation/administration_examples/syslog-ng"
> einfo
> einfo "for more information."
> einfo
> "********************************************************************************"
> }
>
> So, since I have:
> CONFIG_RSBAC_SECOFF_UID=400
> in my kernel, I proceed with:
>
> # groupadd -g 400 secoff
> # useradd -g 400 -u 400 secoff
>
> And here, the tail -1 of /etc/{passwd,group} after I issued the above:
>
> # tail -1 /etc/group
> secoff:x:400:
> # tail -1 /etc/passwd
> secoff:x:400:400::/home/secoff:/bin/sh
> #
With the above secoff doesn't have a $HOME .
# userdel secoff
removes that new user and group created (probably) incorrectly.
# groupdel secoff
groupdel: group 'secoff' does not exist
I found a better way in the contrib of rsbac-admin:
$ grep -A10 "\%pre -n rsbac"
rsbac-admin-1.5.3-201808141046/contrib/rpm/rsbac.spec
%pre -n rsbac
getent group secoff >/dev/null || groupadd -g 400 -r secoff
getent passwd secoff >/dev/null || \
useradd -r -m -u 400 -g secoff -d /secoff -c "Security officer"
-K UMASK=0077 secoff && \
echo "umask 0077" >> /secoff/.bashrc
getent group audit >/dev/null || groupadd -g 401 -r audit
getent passwd audit >/dev/null || \
useradd -r -m -u 401 -g audit -d /audit -c "Security audit" -K
UMASK=0077 audit && \
echo "umask 0077" >> /audit/.bashrc
And I added the flags to my previous commands, and also created audit
user and group, all as above.
Maybe I got it right this time?
Check it and see if no issues with secoff and audit, try and get the
separate logging (I have CONFIG_RSBAC_RMSG_NOSYSLOG=y set)...
Palon Setin
More information about the rsbac
mailing list