Monday, March 14, 2011

rsyslog and grsecurity (Ubuntu 10.04)

Selecting grsecurity's "Proc restrictions" might possibly break few things. One of these things is rsyslog kernel logging capability. Upon booting this message would show up in my kern.log:

kernel: imklog: Cannot read proc file system, 1.

One way to solve this problem is to assign rsyslog to a special group (defined during the kernel configuration phase) which members are able to view all processes, network-related information, and kernel and symbol information.

I do not like to give rsyslog root privileges (albeit read-only) over the proc file system, so I started digging the net and I have found this article outlining an elegant solution to a bug which essentially causes the same problem I am having: rsyslog cannot access /proc/kmsg.

For my future reference I will replicate the solution given. In summary, we are going to pipe messages from /proc/kmsg (which we do not have permission to see) to a directory fully owned by rsyslog. The magic is done by the configuration file shown below.

Create a file named rsyslog-kmsg.conf in /etc/init/ and copy the text below.

# rsyslog-kmsg - feed /proc/kmsg into rsyslog
# This service is used to feed output from /proc/kmsg into rsyslog so
# it does not need to be privileged.

description "feed /proc/kmsg into rsyslog"

start on starting rsyslog
stop on stopped rsyslog


pre-start script
  mkdir -p /var/run/rsyslog
  chown syslog:syslog /var/run/rsyslog

  [ -e /var/run/rsyslog/kmsg ] || mkfifo -m 600 /var/run/rsyslog/kmsg 
  chown syslog:syslog /var/run/rsyslog/kmsg
end script

exec dd bs=1 if=/proc/kmsg of=/var/run/rsyslog/kmsg

post-stop script
  rm /var/run/rsyslog/kmsg
end script

Call rsyslog-kmsg using the upstart-job mechanism:

# ln -s /lib/init/upstart-job /etc/init.d/rsyslog-kmsg

Change in /etc/rsyslog.conf the value of $KLogPath from /proc/kmsg (borked) to /var/run/rsyslog/kmsg (that we defined in the config file.)

# vi /etc/rsyslog.conf
$KLogPath /var/run/rsyslog/kmsg #changed from /proc/kmsg

Then restart rsyslog:

# restart rsyslog

Everything should work now. Check by tailing kern.log and verifying that something has been written there.

# tail /var/log/kern.log


1 comment:

  1. Hi Dako,
    Thank you for re-posting this solution (I couldn't access the original). It worked a treat for me on Ubuntu 11.10.