1 |
Darknight wrote: |
2 |
|
3 |
> On both my test machines I have lots of these messages in kern.log: |
4 |
> |
5 |
> Oct 10 18:59:08 silicon rsbac_adf_request(): request ACCEPT, pid |
6 |
> 12797, ppid 12761, prog_name mysqld, prog_file /usr/sbin/my |
7 |
> sqld, uid 60, audit_uid 60, target_type NETOBJ, tid dc2d4780 UNIX |
8 |
> STREAM /var/run/mysqld/mysqld.sock, attr none, value none, |
9 |
> result NOT_GRANTED (Softmode) by RC |
10 |
> |
11 |
> I really mean lots, I think I have followed scrupolously the guide, |
12 |
> but I may be wrong. Everything seems to work but at the same time I |
13 |
> get flooded by these messages. This gets so bad to the point where the |
14 |
> flood fills memory and causes disconnections and lots of lag during an |
15 |
> scp of many small files. |
16 |
> |
17 |
> Thanks in advance :) |
18 |
|
19 |
Yep, I suggest you to turn off logging via syslog and use rmsg. I wrote |
20 |
a howto for syslog-ng here: |
21 |
http://rsbac.org/documentation/administration_examples/syslog-ng |
22 |
|
23 |
In short simply have CONFIG_RSBAC_RMSG_NOSYSLOG compiled in kernel and |
24 |
boot with the kernel flag rsbac_nosyslog |
25 |
All messages will now be only logged to /proc/rsbac-info/rmsg, which |
26 |
works alike /proc/kmsg. This means you can use your favorite logger to |
27 |
log and parse the messages. |
28 |
|
29 |
A word of warning: syslog-ng will generate more messages because some |
30 |
things it does get refused. If you dont fix thoses, you will fill your |
31 |
log by watching it! |
32 |
You may use rklogd which should generate no msg if you prefer. |
33 |
|
34 |
Once you did that, logging should become less of a problem, it will be |
35 |
rate limited anyway. |
36 |
|
37 |
Now let's take care of fixing your messsage: |
38 |
Oct 10 18:59:08 silicon rsbac_adf_request(): request ACCEPT, pid 12797, |
39 |
ppid 12761, prog_name mysqld, prog_file /usr/sbin/my |
40 |
sqld, uid 60, audit_uid 60, target_type NETOBJ, tid dc2d4780 UNIX STREAM |
41 |
/var/run/mysqld/mysqld.sock, attr none, value none, |
42 |
result NOT_GRANTED (Softmode) by RC |
43 |
|
44 |
This means you are running in non-enforcing mode (softmode, in RSBAC) |
45 |
and that the RC module does not allow program mysqld -/usr/sbin/mysqld) |
46 |
of uid 60 to use the request ACCEPT on the unix socket |
47 |
/var/run/mysqld/mysqld.sock. It means denied requests WONT be denied. |
48 |
Just logged. |
49 |
|
50 |
If this sounds like giberring, please look at the target and requests |
51 |
table here: |
52 |
http://rsbac.org/documentation/targets_and_requests |
53 |
|
54 |
Your target NETOBJ (UNIX STREAM) has a request for ACCEPT. |
55 |
|
56 |
Please note that in RSBAC 1.3.0 (current stable is 1.2.5) Unix sockets |
57 |
will be a filesystem target instead of a netobj. This is because it is |
58 |
easier and more logical to administrate unix sockets. |
59 |
However, you will have to deal with netobj until then :) |
60 |
|
61 |
You will find an example how to manage netobj/nettemplates here: |
62 |
http://rsbac.org/documentation/administration_examples/network_access_control |
63 |
|
64 |
Simply allow the accept request (and any other necessary, thoses are in |
65 |
logs) |
66 |
You can use rsbac_menu to assign RC types, and manage thoses templates |
67 |
"more easily". |
68 |
|
69 |
Feel free to ask on the various IRC channel if any more help is needed |
70 |
(freenode, #rsbac, #gentoo-hardened) |
71 |
|
72 |
kang |
73 |
-- |
74 |
gentoo-hardened@g.o mailing list |