grsecurity forums

Hi all,

I have a problem with grsecurity 2.1.8 (kernel 2.6.14) and iptables version 1.2.11: since installing the grsecurity patch and gradm, iptables does not log to syslog anymore. Console logging still works and the messages are present in the kernel ring buffer (dmesg), but the kernel facility in syslog does not receive the messages from iptables specified with --LOG target anymore, no matter what priority I specify.

Has anyone ever experienced something similar before? Where should I go looking? I tweaked with kernel.printk, syslog.conf and the iptables LOG statement, but I'm quite stuck right now... Thanks for any hint!

Greetings,
Kilian

I haven't seen this problem, but based on your description, syslog is unable to retrieve messages from the kernel. If you stop and restart syslog, do you see anything in dmesg from grsec about blocking syslog? Do you get any other kernel messages in your syslog output (for instance, grsec's alerts about policy violations)? What is your policy for the syslog daemon? Did you write it yourself or did you use the learning mode to create it? If you used learning mode, how long did you let it learn before you created the policy?

Did you make sure that the log module for iptables is compiled into your new kernel?

-Brad

If I restart syslog, I don't see anything about grsec blocking syslog. And I do not get any other kernel messages in my syslog output.

About the policy: I used the learning mode as described in the Quickstart Guide, doing:

Code: Select all

$ gradm -F -L /etc/grsec/learning.log

and after one day

Code: Select all

$ gradm -F -L /etc/grsec/learning.log -O /etc/grsec/acl

now: do I need to copy this file /etc/grsec/acl over /etc/grsec/policy? I am not very clear about this..There exists a /etc/grsec/policy, but I did not create this file.

And yes, the LOG target is compiled into the kernel.

Thanks a lot for your help!

Greetings,
Kilian

Yes, you need to replace the /etc/grsec/policy file.

-Brad