grsecurity forums

Hi,

I'm running grsecurity on 2.6.18.8 under Xen 3.1 (sorry, that means I can't upgrade to latest). The system is a 64-bit Gentoo installation.

I have noticed that occasionally (maybe once per day or less), I get truncated exec log messages. For example:

gios/bin/nagios) exec of /bin/bash (sh -c /usr/nagios/libexec/check_ping -H 10.10.20.2 -w 250.0,20% -c 500.0,60% -p 5 ) by /usr/nagios/bin/nagios[nagios:29366] uid/euid:414/414 gid/egid:414/414, parent /usr/nagios/bin/nagios[nagios:919] uid/euid:414/414 gid/egid:414/414

gios[nagios:6238] uid/euid:414/414 gid/egid:414/414

>grsec: (nagios:U:/usr/nagios/bin/nagios) exec of /usr/nagios/libexec/check_ping (/usr/nagios/libexec/check_ping -H 10.10.50.2 -w 250.0,20% -c 500.0,60% -p 5 ) by /bin/bash[sh:5151] uid/euid:414/414 gid/egid:414/414, parent /usr/nagios/bin/nagios[nagios:23988] uid/euid:414/414 gid/egid:414/414

The issue seems to only appear on the monitoring servers (the ones that run nagios), but I have seen it on one of the mail servers maybe once. The truncated log messages are very rare given the ~1 million exec messages logged per day. I would never have noticed it had I not been running log monitoring software.

I never witnessed the log truncation when running the 2.6.16.x kernels with grsec and older versions of Xen and syslog-ng hasn't been upgraded at all. While Xen has been upgraded, I wouldn't have thought it should affect logging.

Any help/clues/fixes/suggestions most welcome.

Cheers,

Brad

Just a note, this still occurs with a grsecurity-2.1.10-200704241759 that I rolled for a 2.6.20 kernel recently to work with xen. Patch can be found at http://ayuda.com.au/pub/. I would love to upgrade to the latest version of grsec, but the xen implementation currently in mainline is very cut down and doesn't have a lot of features that we use.

Cheers,

Brad

bplant wrote:I would love to upgrade to the latest version of grsec, but the xen implementation currently in mainline is very cut down and doesn't have a lot of features that we use.

my understanding is that 2.6.23 has domU support, but not dom0. are you trying to use grsec in the latter as well? in any case, it'd help me a lot if you/others began testing 2.6.23/domU as i tried to change PaX to accomodate it as well but can't test it myself (well, not without the effort of setting up a whole Xen environment, something i don't have the time for right now).

Yep, I am using grsec on both dom0 and domU. Unfortunately the xen implementation in 2.6.23 isn't complete. When I say that I mean it doesn't have suspend/resume, memory ballooning or live migration, not to mention that it is 32 bit only and I am using 64.