[rsbac] creating secoff and logging to rsyslog, was: rsbac_init goes RSBAC_EINVALIDREQUEST with devicemapper

Palon Setin palons at danwin1210.me
Tue Dec 11 18:20:00 CET 2018 

Palon Setin:
> Amon Ott:
>> Am 09.12.18 um 23:07 schrieb Palon Setin:
...>> In /etc/rsyslog.conf you can extend the -/var/log/syslog specification
>> with ,kern.warn to hopefully get rid of all kernel messages below
>> warning level.
> 
> The line in /etc/rsyslog.conf reads, as per the default:
> *.*;auth,authpriv.none      -/var/log/syslog
> ...
> to modify it to read:
> 
> *.*;auth,authpriv.none,kern.warn      -/var/log/syslog
> 


Script started on 2018-12-11 09:30:56+00:00
# ls -l /var/log/{kern.log,messages,syslog}
-rw-r----- 1 root root 70597434 2018-12-11 09:30 /var/log/kern.log
-rw-r----- 1 root adm  70056548 2018-12-11 09:30 /var/log/messages
-rw-r----- 1 root root 70977868 2018-12-11 09:30 /var/log/syslog
# ls -l /var/log/{kern.log,messages,syslog}
   217855 /var/log/kern.log
   213854 /var/log/messages
   221628 /var/log/syslog
   653337 total

# head -2 /var/log/kern.log
2018-12-09T04:39:50.301121+00:00 myhost kernel: [18288.676403]
0000001068|rsbac_adf_request(): request CHANGE_OWNER, pid 7712, ppid
7704, prog_name tor, prog_file /usr/bin/tor, uid 0, target_type PROCESS,
tid 7712(tor,parent=7704(tor)), attr owner, value 113, result
NOT_GRANTED (Softmode) by AUTH
2018-12-09T04:39:50.368106+00:00 myhost kernel: [18288.743692]
0000001069|rsbac_adf_request(): request CHANGE_OWNER, pid 7720, ppid
7717, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid
0, target_type PROCESS, tid 7720(start-stop-daem,parent=7717(man-db)),
attr owner, value 6, result NOT_GRANTED (Softmode) by AUTH

# head -2 /var/log/messages
2018-12-09T04:39:50.085340+00:00 myhost rsyslogd:  [origin
software="rsyslogd" swVersion="8.39.0" x-pid="2002"
x-info="http://www.rsyslog.com"] rsyslogd was HUPed
2018-12-09T04:39:50.301121+00:00 myhost kernel: [18288.676403]
0000001068|rsbac_adf_request(): request CHANGE_OWNER, pid 7712, ppid
7704, prog_name tor, prog_file /usr/bin/tor, uid 0, target_type PROCESS,
tid 7712(tor,parent=7704(tor)), attr owner, value 113, result
NOT_GRANTED (Softmode) by AUTH

# head -2 /var/log/syslog
2018-12-09T04:39:49.596308+00:00 myhost rsyslogd:  [origin
software="rsyslogd" swVersion="8.39.0" x-pid="2002"
x-info="http://www.rsyslog.com"] rsyslogd was HUPed
2018-12-09T04:39:50.085340+00:00 myhost rsyslogd:  [origin
software="rsyslogd" swVersion="8.39.0" x-pid="2002"
x-info="http://www.rsyslog.com"] rsyslogd was HUPed

# ls -l
-rw-r----- 1 root root 70597434 2018-12-11 09:30 /var/log/kern.log
-rw-r----- 1 root adm  70056548 2018-12-11 09:30 /var/log/messages
-rw-r----- 1 root root 70977868 2018-12-11 09:30 /var/log/syslog
# diff /var/log/{kern.log,messages} | wc -l
4235
# diff /var/log/{kern.log,syslog} | wc -l
4135

# cat /var/log/{kern.log,messages,syslog} > rbac_to_rsyslog_ALL.log
# ls -l rbac_to_rsyslog_ALL.log
-rw-r--r-- 1 root root 211631850 2018-12-11 09:33 rbac_to_rsyslog_ALL.log
# wc -l rbac_to_rsyslog_ALL.log
653337 rbac_to_rsyslog_ALL.log

# cat /var/log/{kern.log,messages,syslog} | sort -u >
rbac_to_rsyslog_ALL_sort-u.log
# ls -l rbac_to_rsyslog_ALL_sort-u.log
-rw-r--r-- 1 root root 70978321 2018-12-11 09:34
rbac_to_rsyslog_ALL_sort-u.log
# wc -l rbac_to_rsyslog_ALL_sort-u.log
221630 rbac_to_rsyslog_ALL_sort-u.log

# ls -l /var/log/{kern.log,messages,syslog}
-rw-r----- 1 root root 70597434 2018-12-11 09:30 /var/log/kern.log
-rw-r----- 1 root adm  70056548 2018-12-11 09:30 /var/log/messages
-rw-r----- 1 root root 70977868 2018-12-11 09:30 /var/log/syslog
# exit

Script done on 2018-12-11 09:34:45+00:00

(the script doesn't work very well, not if you use Ctrl-R to
"(reverse-i-search)`': ", some of the above is actually simply pasting)

And all that was after the suggested and implemented changes to
/etc/rsyslog.conf. If you remember, first I did it the wrong way, and
that wrong way got me this file:
# ls -ltr /var/log/syslog,kern.warn
-rw-r----- 1 root adm 583 2018-12-10 13:00 /var/log/syslog,kern.warn

which I haven't touched afterwards, but immediately after that wrong
way, I did it the (hopefully) right way, so it shows that the logs were
all collected well after the changes.

I'm working through the rsbac handbook, to try to properly use it (as
soon as, or just soon after, this logging issue is --maybe just
somewhat-- resolved).

rsyslog also has pretty extensive documentation. Could be some of its bugs?

sincerely,
Palon Setin

More information about the rsbac mailing list