[rsbac] creating secoff and logging to rsyslog, was: rsbac_init goes RSBAC_EINVALIDREQUEST with devicemapper

Palon Setin palons at danwin1210.me
Mon Dec 10 14:12:00 CET 2018

Amon Ott:
> Am 09.12.18 um 23:07 schrieb Palon Setin:
>> It's not good that the security officer is called secoff, because it
>> sounds like security is off. Also security is two chars longer. But
>> anyway, I'd only change if secoff gets renamed in Rsbac main.
> We have been using security here for years - your fingers get used to
> that name quickly. :)
Great, but it isn't reflected in the documentation.

> So far, you seem to have done the right steps. Duplicated lines in
> kern.log and syslog are normal for all kernel messages - Debian puts all
> kernel messages into both files.

> In /etc/rsyslog.conf you can extend the -/var/log/syslog specification
> with ,kern.warn to hopefully get rid of all kernel messages below
> warning level.

The line in /etc/rsyslog.conf reads, as per the default:
*.*;auth,authpriv.none      -/var/log/syslog

I modified it to read:
*.*;auth,authpriv.none      -/var/log/syslog,kern.warn

But now, after "service rsyslog restart", I get a new log file instead:

# ls -l /var/log/syslog,kern.warn
-rw-r----- 1 root adm 583 2018-12-10 13:00 /var/log/syslog,kern.warn

So I probably didn't do what you suggested... Ah, I see, I probably need
to modify it to read:

*.*;auth,authpriv.none,kern.warn      -/var/log/syslog

Yes, that will probably be it.

I was still thinking, syslog-ng and rsyslog are very different, there
does not seem a simple way to convert
to get all RSBAC logging into /secoff/log/<files> like there?

> In /etc/sysctl.conf I recommend kernel.printk = 3 4 1 3
> to keep consoles clean.
This was matter of uncommenting. Done.
> Amon.

Great to read from the boss :) ! Thanks!

Palon Setin

More information about the rsbac mailing list