grsecurity forums

by **RaYmAn** » Thu Jul 10, 2003 12:24 pm

Hi
I just upgraded to grsecurity-2.0rc1 today and gradm2...
I'm attempting to use the Full learning mode, but I can't seem to get it working...
when I run /sbin/gradm -F -L /etc/grsec/llog I get the following error:

in my /var/log/warnings it creates the following entries:

I have tried playing around with different "basic" ACL configurations but it doesn't seem to change anything at all...
So..Any ideas how to fix this error?
-Jens Andersen aka RaYmAn

by **RaYmAn** » Thu Jul 10, 2003 1:04 pm

When running gradm2 cvs rather than the released version I get the added error in /var/log/warnings:

-Jens Andersen

by **spender** » Thu Jul 10, 2003 7:42 pm

use current cvs of grsecurity 2 also.

-Brad

by **spender** » Thu Jul 10, 2003 7:43 pm

also, it looks like you're trying to enable the full learning mode when the RBAC system is already enabled. The RBAC system must be disabled for you to enable the system in full learning mode.

-Brad

by **RaYmAn** » Fri Jul 11, 2003 8:12 am

also, it looks like you're trying to enable the full learning mode when the RBAC system is already enabled. The RBAC system must be disabled for you to enable the system in full learning mode.

Hmm. It seems you are right.
The odd thing is that I never enabled it after booting so it should really work..
but I don't know. Somehow it must have gotten enabled.
Regardless...putting it into learning mode just made everything pretty much inaccessible...Guess I should have done it while I could get physical access to it, heh
Oh well..no mail for a few hours I suppose...
-Jens Andersen

by **gkweb** » Sun Jul 13, 2003 1:03 pm

Hi,

i have the same error, and me too i didn't activate anything.
I'm running my system with pre configured "Medium" security level, all works well except when i try Full learning mode, i have the error shown here.
I's weird because i just boot up, i didn't activate ACL (block all my system, i'm don't know well enough linux system to get it work) this is why i tried Full learning mode, but don't work, hope the pb will be solved soon.

In all case, really great job (how many coffee cup to do this ? o_O )

regards,

gkweb.

by **spender** » Sun Jul 13, 2003 2:44 pm

this happens for both of you with the current cvs of grsecurity 2 and gradm 2?

-Brad

by **gkweb** » Sun Jul 13, 2003 3:01 pm

i downloaded from the website link, not cvs, i'm not very familiar with it :oops:

gkweb.

EDIT : can't make it to run on my gateway (command doesn't exists), and can't find CVS sources anywhere... so if someone could give me a link to download the last patch (i browsed CVS tree but it's not a patch) and the last gradm2, i will test it and report results as soon as possible, thanks

by **RaYmAn** » Mon Jul 14, 2003 2:53 am

this happens for both of you with the current cvs of grsecurity 2 and gradm 2?
-Brad

Not quite. I'm using rc1 release from website.
However, I did manage to get full learning mode enabled finally. (with rc1)
However, now I have a new problem.
I left it running for a day or so and ended up with a around 27mb log..
Fine I thought, disabled the learning and ran gradm -F -L /path/to/log -O /path/to/gen_acl
Seemed to work fine....it used around 230mb ram and used 97% cpu for around 1-2 hours, but then something happened...it crashed..only very few acls had been written to disk, but it simply crashed...I can provide you with an strace if you so wish..
However, I prefer not to have to reboot my server once again if at all possible. I figured a rc1 release would be fairly stable and hence would work on a semi-production system...(I'll have a fair deal of users bitching at me if I start rebooting with a fresh cvs every second day...)
So...Any ideas as to how to fix this? (I can provide a bit or all of the learning log if you wish to see if it's a problem with that?)

Edit: After doing some more tests the parsing seems to work with very small log files, i.e. 4kb ones work..I tried with around 300kb too but that failed just like the 27mb file.

Regards,
Jens Andersen

by **gkweb** » Mon Jul 14, 2003 6:50 am

can you provide me information to get it to work pls ?

thanks :wink:

regards,

gkweb.

by **RaYmAn** » Mon Jul 14, 2003 6:58 am

can you provide me information to get it to work pls ?

Well..I can try..
I'm pretty sure that all I did to get it work was that I ran gradm -D, entered password and then it said the RBAC system was disabled now, and then I could run gradm -F(...) and it worked just fine...except for the parsing of the resulting log files, but I think that's an unrelated problem...

-Jens Andersen

by **gkweb** » Mon Jul 14, 2003 8:03 am

it doesn't work for me, i enter gradm -D, it tell me to enter password, and after again the error "Error opening dev/grsec:"

(grsecurity version available on the website).

by **gkweb** » Mon Jul 14, 2003 8:41 pm

i downloaded last CVS version, and now no error messages, it accept the command, but the system freeze within 5s, have to reboot with reset button.
May be it's because i use the lastest gradm2 version with the grsecurity patch 2.0-rc1 from the website link (not the last version) ?

I have the lastests grsecurity2 files on my hardrive but i don't know who to merge them in a "patch" file, is there a command ?

regards,

gkweb.

by **spender** » Mon Jul 14, 2003 11:31 pm

rayman: i'd like to see a gdb backtrace of gradm. If you could, add -ggdb to the CFLAGS in the makefile and comment the lines that strip the binary. Run gradm under gdb and when it crashes, enter "bt". Post the backtrace here.

-Brad

by **spender** » Mon Jul 14, 2003 11:50 pm

also, you can mail the 300kb learning log to spender@grsecurity.net

-Brad

grsecurity forums

Problem with grsecurity-2.0rc1/gradm2

Problem with grsecurity-2.0rc1/gradm2