RSBAC Handbook Releases
- 3.1.y
Patched kernels
Includes vanilla kernel with the RSBAC patch
- 3.1.5
Enhanced kernels
Combined patches with RSBAC and PaX, less well tested
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
You can use syslog-ng to log RSBAC log messages.
Setting up syslog-ng
Disable logging to system log with the “rsbac_nosyslog” kernel flag, or echo “debug nosyslog 1” > /proc/rsbac-info/debug at runtime. You need the kernel option “CONFIG_RSBAC_RMSG_NOSYSLOG” compiled in for this to work properly.
Simply create a rc init script with these line to start syslog-ng:
/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng-rsbac.conf -p \ /var/run/syslog-ng-rsbac.pid
The easiest way is to copy your distribution init script to make your own
Configuration file
Create the corresponding configuration file
“/etc/syslog-ng/syslog-ng-rsbac.conf”
######
# options
options {
# disable the chained hostname format in logs
# (default is enabled)
chain_hostnames(0);
# the number of lines fitting in the output queue
log_fifo_size(2048);
# enable or disable directory creation for destination files
create_dirs(yes);
# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
# Replace secoff with whoever user you want to use for
# the policy protecting syslog-ng-rsbac
owner(secoff);
group(secoff);
perm(0600);
# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
# Replace secoff
dir_owner(secoff);
dir_group(secoff);
dir_perm(0700);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);
};
######
# sources
# all known message sources
source s_rsbac {
internal();
file("/proc/rsbac-info/rmsg" log_prefix("RSBAC: "));
};
######
# destinations
# some standard log files
destination df_rsbac_all { file(/secoff/log/security.log); };
destination df_rsbac_reg { file(/secoff/log/security-reg.log); };
destination df_rsbac_daz { file(/secoff/log/security-daz.log); };
destination df_rsbac_ff { file(/secoff/log/security-ff.log); };
destination df_rsbac_rc { file(/secoff/log/security-rc.log); };
destination df_rsbac_auth { file(/secoff/log/security-auth.log); };
destination df_rsbac_cap { file(/secoff/log/security-cap.log); };
destination df_rsbac_jail { file(/secoff/log/security-jail.log); };
destination df_rsbac_res { file(/secoff/log/security-res.log); };
######
# filters
# rc module messages
filter f_rsbac_reg { match("by REG"); };
filter f_rsbac_daz { match("by DAZ"); };
filter f_rsbac_ff { match("by FF"); };
filter f_rsbac_rc { match("by RC"); };
filter f_rsbac_auth { match("by AUTH"); };
filter f_rsbac_cap { match("by CAP"); };
filter f_rsbac_jail { match("by JAIL"); };
filter f_rsbac_res { match("by RES"); };
######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement
# these rules provide the same behavior as the commented original syslogd rules
log {
source(s_rsbac);
destination(df_rsbac_all);
};
log {
source(s_rsbac);
filter(f_rsbac_reg);
destination(df_rsbac_reg);
};
log {
source(s_rsbac);
filter(f_rsbac_daz);
destination(df_rsbac_daz);
};
log {
source(s_rsbac);
filter(f_rsbac_ff);
destination(df_rsbac_ff);
};
log {
source(s_rsbac);
filter(f_rsbac_rc);
destination(df_rsbac_rc);
};
log {
source(s_rsbac);
filter(f_rsbac_auth);
destination(df_rsbac_auth);
};
log {
source(s_rsbac);
filter(f_rsbac_cap);
destination(df_rsbac_cap);
};
log {
source(s_rsbac);
filter(f_rsbac_jail);
destination(df_rsbac_jail);
};
log {
source(s_rsbac);
filter(f_rsbac_res);
destination(df_rsbac_res);
};
And start it !