learning 1.9.8rc1 / 1.6rc1 and syslog-ng

Discuss and suggest new grsecurity features

learning 1.9.8rc1 / 1.6rc1 and syslog-ng

Postby dermike » Thu Dec 12, 2002 6:44 pm

Im using:
linux 2.4.20
grsecurity-1.9.8 rc1
gradm-1.6 rc1
syslog-ng 1.4.16
gentoo 1.4 rc1

Learning hasn't been working for me, so I did some investigating.

It seems that gradm expects the followign format:
Mon DD HH:MM:SS hostname kernel: grsec: LEARN:xxxxxxxxxxx

Syslog-NG puts out:
Mon DD HH:MM:SS hostname grsec: LEARN:xxxxxxxxxxxxxxxx

And Grsec 1.9.8rc1 adds "From x.x.x.x:" to the beginning of its log entries that are caused from remote connections.

So am I crazy, or is my information correct?

I parsed my LEARN log entries through the following perl regex and learning suddenly worked.

Code: Select all
s/^(Dec 12 ..:..:.. cerebus) (grsec:) (?:From 172.19.151.156: )?(LEARN:.+)$/$1 kernel: $2 $3/go

(note: was a 30 second write)

I triedto modify the gradm_learner.l , but it seems my lex skills are very rusty.

Anyway, someone tell me I am completely wrong here. :D
dermike
 
Posts: 6
Joined: Mon Mar 04, 2002 6:56 pm

Postby spender » Thu Dec 12, 2002 7:14 pm

no you're right. grsecurity doesn't support learning from syslog-ng, though I willl add that in asap. I also forgot to change one of the learning logs (the socket acl ones) to the different macro that doesn't log the IP. I've committed the change to CVS.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby TGKx » Wed Feb 19, 2003 11:38 pm

ahh this is bad please fix this i use syslog-ng too :o

i have latest csv and it appears that grsec wants to read syslog.conf (which doesnt exist thanks to syslog-ng which has its own conf in /etc/syslong-ng/syslog-ng.conf).

A really cheap work around I did that may help others is I made a fake syslog.conf in /etc, and just put in:

kern.* /var/log/filewithgrseclogs

it reads and picks it up happily.
TGKx
 
Posts: 50
Joined: Wed Feb 19, 2003 4:39 am

Postby spender » Wed Feb 19, 2003 11:46 pm

Grsec supports the format of the log file itself, however the syslog-ng config file is so horribly complex, it would be silly to have a complete lex/yacc combo just for it. So you have to add an argument to the -L flag...shouldn't be too much of an inconvenience :)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby TGKx » Wed Feb 19, 2003 11:50 pm

i've been accused more than once of doing things the hard way lol.

thanks for the help
TGKx
 
Posts: 50
Joined: Wed Feb 19, 2003 4:39 am


Return to grsecurity development

cron