You can use syslog-ng to log RSBAC log messages, which is much more convenient. Disable logging to system log with the “rsbac_nosyslog” kernel flag, or echo “debug nosyslog 1” > /proc/rsbac-info/debug at runtime. You need the kernel option “CONFIG_RSBAC_RMSG_NOSYSLOG” compiled in for this to work properly.
Simply create a rc init script with these line to start syslog-ng:
/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng-rsbac.conf -p \ /var/run/syslog-ng-rsbac.pid
The easiest way is to copy your distribution init script to customize or make your own.
Create the corresponding configuration file
“/etc/syslog-ng/syslog-ng-rsbac.conf”
###### # options options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0); # the number of lines fitting in the output queue log_fifo_size(2048); # enable or disable directory creation for destination files create_dirs(yes); # default owner, group, and permissions for log files # (defaults are 0, 0, 0600) # Replace secoff with whoever user you want to use for # the policy protecting syslog-ng-rsbac owner(secoff); group(secoff); perm(0600); # default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) # Replace secoff dir_owner(secoff); dir_group(secoff); dir_perm(0700); # enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(no); }; ###### # sources # all known message sources source s_rsbac { internal(); file("/proc/rsbac-info/rmsg" log_prefix("RSBAC: ")); }; ###### # destinations # some standard log files destination df_rsbac_all { file(/secoff/log/security.log); }; destination df_rsbac_reg { file(/secoff/log/security-reg.log); }; destination df_rsbac_daz { file(/secoff/log/security-daz.log); }; destination df_rsbac_ff { file(/secoff/log/security-ff.log); }; destination df_rsbac_rc { file(/secoff/log/security-rc.log); }; destination df_rsbac_auth { file(/secoff/log/security-auth.log); }; destination df_rsbac_cap { file(/secoff/log/security-cap.log); }; destination df_rsbac_jail { file(/secoff/log/security-jail.log); }; destination df_rsbac_res { file(/secoff/log/security-res.log); }; ###### # filters # rc module messages filter f_rsbac_reg { match("by REG$"); }; filter f_rsbac_daz { match("by DAZ$"); }; filter f_rsbac_ff { match("by FF$"); }; filter f_rsbac_rc { match("by RC$"); }; filter f_rsbac_auth { match("by AUTH$"); }; filter f_rsbac_cap { match("by CAP$"); }; filter f_rsbac_jail { match("by JAIL$"); }; filter f_rsbac_res { match("by RES$"); }; ###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement # these rules provide the same behavior as the commented original syslogd rules log { source(s_rsbac); destination(df_rsbac_all); }; log { source(s_rsbac); filter(f_rsbac_reg); destination(df_rsbac_reg); }; log { source(s_rsbac); filter(f_rsbac_daz); destination(df_rsbac_daz); }; log { source(s_rsbac); filter(f_rsbac_ff); destination(df_rsbac_ff); }; log { source(s_rsbac); filter(f_rsbac_rc); destination(df_rsbac_rc); }; log { source(s_rsbac); filter(f_rsbac_auth); destination(df_rsbac_auth); }; log { source(s_rsbac); filter(f_rsbac_cap); destination(df_rsbac_cap); }; log { source(s_rsbac); filter(f_rsbac_jail); destination(df_rsbac_jail); }; log { source(s_rsbac); filter(f_rsbac_res); destination(df_rsbac_res); };
And start it under secoff credentials!
Table of Contents: RSBAC Handbook
Back: Administration Examples