| 1 |
Darknight wrote: |
| 2 |
|
| 3 |
> On both my test machines I have lots of these messages in kern.log: |
| 4 |
> |
| 5 |
> Oct 10 18:59:08 silicon rsbac_adf_request(): request ACCEPT, pid |
| 6 |
> 12797, ppid 12761, prog_name mysqld, prog_file /usr/sbin/my |
| 7 |
> sqld, uid 60, audit_uid 60, target_type NETOBJ, tid dc2d4780 UNIX |
| 8 |
> STREAM /var/run/mysqld/mysqld.sock, attr none, value none, |
| 9 |
> result NOT_GRANTED (Softmode) by RC |
| 10 |
> |
| 11 |
> I really mean lots, I think I have followed scrupolously the guide, |
| 12 |
> but I may be wrong. Everything seems to work but at the same time I |
| 13 |
> get flooded by these messages. This gets so bad to the point where the |
| 14 |
> flood fills memory and causes disconnections and lots of lag during an |
| 15 |
> scp of many small files. |
| 16 |
> |
| 17 |
> Thanks in advance :) |
| 18 |
|
| 19 |
Yep, I suggest you to turn off logging via syslog and use rmsg. I wrote |
| 20 |
a howto for syslog-ng here: |
| 21 |
http://rsbac.org/documentation/administration_examples/syslog-ng |
| 22 |
|
| 23 |
In short simply have CONFIG_RSBAC_RMSG_NOSYSLOG compiled in kernel and |
| 24 |
boot with the kernel flag rsbac_nosyslog |
| 25 |
All messages will now be only logged to /proc/rsbac-info/rmsg, which |
| 26 |
works alike /proc/kmsg. This means you can use your favorite logger to |
| 27 |
log and parse the messages. |
| 28 |
|
| 29 |
A word of warning: syslog-ng will generate more messages because some |
| 30 |
things it does get refused. If you dont fix thoses, you will fill your |
| 31 |
log by watching it! |
| 32 |
You may use rklogd which should generate no msg if you prefer. |
| 33 |
|
| 34 |
Once you did that, logging should become less of a problem, it will be |
| 35 |
rate limited anyway. |
| 36 |
|
| 37 |
Now let's take care of fixing your messsage: |
| 38 |
Oct 10 18:59:08 silicon rsbac_adf_request(): request ACCEPT, pid 12797, |
| 39 |
ppid 12761, prog_name mysqld, prog_file /usr/sbin/my |
| 40 |
sqld, uid 60, audit_uid 60, target_type NETOBJ, tid dc2d4780 UNIX STREAM |
| 41 |
/var/run/mysqld/mysqld.sock, attr none, value none, |
| 42 |
result NOT_GRANTED (Softmode) by RC |
| 43 |
|
| 44 |
This means you are running in non-enforcing mode (softmode, in RSBAC) |
| 45 |
and that the RC module does not allow program mysqld -/usr/sbin/mysqld) |
| 46 |
of uid 60 to use the request ACCEPT on the unix socket |
| 47 |
/var/run/mysqld/mysqld.sock. It means denied requests WONT be denied. |
| 48 |
Just logged. |
| 49 |
|
| 50 |
If this sounds like giberring, please look at the target and requests |
| 51 |
table here: |
| 52 |
http://rsbac.org/documentation/targets_and_requests |
| 53 |
|
| 54 |
Your target NETOBJ (UNIX STREAM) has a request for ACCEPT. |
| 55 |
|
| 56 |
Please note that in RSBAC 1.3.0 (current stable is 1.2.5) Unix sockets |
| 57 |
will be a filesystem target instead of a netobj. This is because it is |
| 58 |
easier and more logical to administrate unix sockets. |
| 59 |
However, you will have to deal with netobj until then :) |
| 60 |
|
| 61 |
You will find an example how to manage netobj/nettemplates here: |
| 62 |
http://rsbac.org/documentation/administration_examples/network_access_control |
| 63 |
|
| 64 |
Simply allow the accept request (and any other necessary, thoses are in |
| 65 |
logs) |
| 66 |
You can use rsbac_menu to assign RC types, and manage thoses templates |
| 67 |
"more easily". |
| 68 |
|
| 69 |
Feel free to ask on the various IRC channel if any more help is needed |
| 70 |
(freenode, #rsbac, #gentoo-hardened) |
| 71 |
|
| 72 |
kang |
| 73 |
-- |
| 74 |
gentoo-hardened@g.o mailing list |
Archives