Hello GR Users!
I have installed grsec and selected the following settings:
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# Buffer Overflow Protection
#
CONFIG_GRKERNSEC_PAX=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_MMAPFIXED=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y
#
# Access Control Lists
#
CONFIG_GRKERNSEC_ACL=y
# CONFIG_GR_DEBUG is not set
CONFIG_GRKERNSEC_ACL_CAPLOG=y
CONFIG_GRADM_PATH="/sbin/gradm"
CONFIG_GR_MAXTRIES=2
CONFIG_GR_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_FD=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_SIG=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_PTRACE=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_KBMAP=y
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_SUID=y
CONFIG_GRKERNSEC_TIME=y
#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_IPC is not set
CONFIG_GRKERNSEC_TTYROOT=y
# CONFIG_GRKERNSEC_TTYROOT_PHYS is not set
CONFIG_GRKERNSEC_TTYROOT_SERIAL=y
# CONFIG_GRKERNSEC_TTYROOT_PSEUDO is not set
CONFIG_GRKERNSEC_FORKBOMB=y
CONFIG_GRKERNSEC_FORKBOMB_GID=100
CONFIG_GRKERNSEC_FORKBOMB_SEC=40
CONFIG_GRKERNSEC_FORKBOMB_MAX=20
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_GROUP=y
CONFIG_GRKERNSEC_PTRACE_GID=10
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
CONFIG_GRKERNSEC_RANDTTL=y
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
#
# Miscellaneous Features
#
CONFIG_GRKERNSEC_FLOODTIME=20
# CONFIG_GRKERNSEC_COREDUMP is not set
- I have took spenders ACL files from the
ACL development forum. If i try to start
gradm with "gradm -E" - my box is out of my
control NOHTING works more - i can only
do a hardware reset. I use slackware 8 on my box.
I have installed IP tables too - maybe ACL fight
with grsec and this is the reason?
Here is a port from the log ( i have removed the
lins for programs that i have not installed in the
acl files - i paste the nox in a 2 posting ).
Can anyone help me please?
When i start gradm - i have no control more ... :\
6 posts
• Page 1 of 1
When i start gradm - i have no control more ... :\
by Stefan » Fri Apr 26, 2002 5:35 am
- Stefan
- Posts: 3
- Joined: Fri Apr 26, 2002 5:21 am
by Stefan » Fri Apr 26, 2002 5:40 am
The lines which let me know that programes are
not there have i removed in acl files
grsec: Duplicate entries in config file /etc/grsec/proc.acl at line 21
grsec: more duplicate entries, logging disabled for 20 seconds
grsec: Unable to locate file /var/log/httpd on line 7 of /etc/grsec/file.acl
grsec: more , logging disabled for 20 seconds
grsec: Loaded grsecurity 2.0
grsec: attempt to mmap 32059 771 executableby (bash:14800) UID(508) EUID(508), parent (sshd:14799) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to mmap 228923 771 executableby (gradm:14803) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to access hidden file with inode 357447 dev 771 by (bash:14763) UID(0) EUID(0), parent (sshd:14762) UID(0) EUID(0)
grsec: exec of /bin/sh by (perl:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0) attempted to use 1 malicious environment(s)
attempt to mmap 32059 771 executableby (sh:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: more malicious environments, logging disabled for 20 seconds
grsec: attempt to mmap 32082 771 executableby (ls:14881) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: exec of /bin/sh by (perl:14882) UID(0) EUID(0), parent (perl:14879) UID(0) EUID(0) attempted to use 1 malicious environment(s)
grsec: attempt to mmap 224791 771 executableby (reboot:15005) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
I hope anyone can help me please ...
Regards,
Stefan
not there have i removed in acl files
grsec: Duplicate entries in config file /etc/grsec/proc.acl at line 21
grsec: more duplicate entries, logging disabled for 20 seconds
grsec: Unable to locate file /var/log/httpd on line 7 of /etc/grsec/file.acl
grsec: more , logging disabled for 20 seconds
grsec: Loaded grsecurity 2.0
grsec: attempt to mmap 32059 771 executableby (bash:14800) UID(508) EUID(508), parent (sshd:14799) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to mmap 228923 771 executableby (gradm:14803) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to access hidden file with inode 357447 dev 771 by (bash:14763) UID(0) EUID(0), parent (sshd:14762) UID(0) EUID(0)
grsec: exec of /bin/sh by (perl:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0) attempted to use 1 malicious environment(s)
attempt to mmap 32059 771 executableby (sh:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: more malicious environments, logging disabled for 20 seconds
grsec: attempt to mmap 32082 771 executableby (ls:14881) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: exec of /bin/sh by (perl:14882) UID(0) EUID(0), parent (perl:14879) UID(0) EUID(0) attempted to use 1 malicious environment(s)
grsec: attempt to mmap 224791 771 executableby (reboot:15005) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
I hope anyone can help me please ...
Regards,
Stefan
- Stefan
- Posts: 3
- Joined: Fri Apr 26, 2002 5:21 am
by spender » Fri Apr 26, 2002 11:26 am
i'm not sure what the problem could be...most likely it's an error in the configuration (the mmap logs usually only show up when the process acl does not have permission to execute itself)
1.9.5 should fix all your problems, since the parsing has a much greater level of error handling and acl analysis to make sure nothing goes wrong.
-Brad
1.9.5 should fix all your problems, since the parsing has a much greater level of error handling and acl analysis to make sure nothing goes wrong.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
problems
by michaeld » Fri Apr 26, 2002 4:01 pm
Mail me your configuration files if you don't want to wait until 1.9.5 and I'll fix them up (michael@grsecurity.net)
- michaeld
- Posts: 37
- Joined: Mon Feb 25, 2002 12:32 am
Post here the fixed and the non-fixed ACL's pls :)
by Sea-you » Tue Apr 30, 2002 8:55 am
Post here the fixed and the non-fixed ACL's pls 
We should learn from that
We should learn from that - Sea-you
- Posts: 10
- Joined: Thu Apr 11, 2002 12:48 pm
6 posts
• Page 1 of 1