Page 1 of 1

learning mode

PostPosted: Sun Dec 01, 2002 6:00 pm
by miha
before running grsec in normal mode I set learning mode on everything.
Here is how my /etc/grsec/acl looks like:
Code: Select all
/ lo {
        /lib r
        /proc/sys r
        /dev/mem h
        /dev/kmem h
        /etc/grsec x
        /root rx
        /boot rx
        /etc rw
        /bin rx
        /home rxw
        /usr rx
        /sbin rx
        /tmp rw
        / rw
        +CAP_ALL
}

/usr/bin/passwd lo {
        /usr/bin/passwd x
        / h
        /home x
        -CAP_ALL
}

/usr/local/apache/bin/httpd lo {
        /usr/local/apache/bin/httpd x
        / h
        /home x
        /tmp rw
        -CAP_ALL
        connect {
                disabled
        }
        bind {
                disabled
        }
}

/usr/sbin/sendmail lo {
        / h
        /tmp rw
        -CAP_ALL
        RES_NPROC 15 20
     connect {
          disabled
     }
     bind {
          disabled
     }
}

/usr/sbin/exim lo {
        / h
        /tmp rw
        -CAP_ALL
        RES_NPROC 15 20
     connect {
          disabled
     }
     bind {
          disabled
     }
}

/usr/bin/perl lo {
        / h
        /home x
        /tmp rw
        -CAP_ALL
        RES_NPROC 20 25
     connect {
          disabled
     }
     bind {
          disabled
     }
}

and after I run "gradm -L -O learn"

after 24 hours of running in learning mode the file "learn" didn't change at all. It is still the same from the first second of running in learn mode.
This server serves a lot of bandwidth and mirrors, there was 15GB bandwidth for these 24 hours, but no changes for /usr/local/apache/bin/httpd which was ran a lot..

Any suggestions what I'm doing wrong?

PostPosted: Sun Dec 01, 2002 7:53 pm
by spender
To enable learning mode you have to enable the ACL system. I don't see how you could have enabled the ACL system with your default ACL that grants +CAP_ALL. You have to enable the ACL system, run it for a while, and then use gradm -L -O /etc/grsec/acl. The -L option just parses the logs, it doesn't enable the system and create them.

-Brad

PostPosted: Sun Dec 01, 2002 8:24 pm
by miha
great thanks, now I see how it is going

PostPosted: Tue Jul 15, 2003 8:30 am
by spiekey
spender wrote:To enable learning mode you have to enable the ACL system. I don't see how you could have enabled the ACL system with your default ACL that grants +CAP_ALL.


How do you enable the ACL System then? ;)

Cheers, Spiekey