grsecurity forums

Im using:
linux 2.4.20
grsecurity-1.9.8 rc1
gradm-1.6 rc1
syslog-ng 1.4.16
gentoo 1.4 rc1

Learning hasn't been working for me, so I did some investigating.

It seems that gradm expects the followign format:
Mon DD HH:MM:SS hostname kernel: grsec: LEARN:xxxxxxxxxxx

Syslog-NG puts out:
Mon DD HH:MM:SS hostname grsec: LEARN:xxxxxxxxxxxxxxxx

And Grsec 1.9.8rc1 adds "From x.x.x.x:" to the beginning of its log entries that are caused from remote connections.

So am I crazy, or is my information correct?

I parsed my LEARN log entries through the following perl regex and learning suddenly worked.

Code: Select all

s/^(Dec 12 ..:..:.. cerebus) (grsec:) (?:From 172.19.151.156: )?(LEARN:.+)$/$1 kernel: $2 $3/go

(note: was a 30 second write)

I triedto modify the gradm_learner.l , but it seems my lex skills are very rusty.

Anyway, someone tell me I am completely wrong here.

no you're right. grsecurity doesn't support learning from syslog-ng, though I willl add that in asap. I also forgot to change one of the learning logs (the socket acl ones) to the different macro that doesn't log the IP. I've committed the change to CVS.

-Brad

ahh this is bad please fix this i use syslog-ng too

i have latest csv and it appears that grsec wants to read syslog.conf (which doesnt exist thanks to syslog-ng which has its own conf in /etc/syslong-ng/syslog-ng.conf).

A really cheap work around I did that may help others is I made a fake syslog.conf in /etc, and just put in:

kern.* /var/log/filewithgrseclogs

it reads and picks it up happily.

Grsec supports the format of the log file itself, however the syslog-ng config file is so horribly complex, it would be silly to have a complete lex/yacc combo just for it. So you have to add an argument to the -L flag...shouldn't be too much of an inconvenience

-Brad

i've been accused more than once of doing things the hard way lol.

thanks for the help