gradm WEIRD problem
Posted: Tue Dec 05, 2006 2:45 amHello,
I am running: Slackware 10.1
Kernel version: 2.4.32-grsec
GrAdm version: 2.1.6
I had installation problems with /dev/grsec but I solved it.
crw--w--w- 1 root root 2, 16 2006-12-05 07:25 /dev/grsec
rm /dev/grsec; mknod /dev/grsec c 2 16
It is the only thing I found to avoid the "no such file or directory" problem in "make install". I did gradm -P and I set up a password, and gradm -P admin, and set up an admin role password.
At first everything seemed to work fine but:
1. gradm -E -V
Policy statistics:
-------------------------------------------------------
Role summary:
0 user roles
0 group roles
1 special roles with authentication
0 special roles without authentication
1 admin roles
2 total roles
Subject summary:
0 nested subjects
8 subjects can be killed by outside processes
10 subjects have unprotected shared memory
7 subjects with unrestricted sockets
10 total subjects
Object summary:
0 objects in non-admin roles allow chmod +s
124 total objects
2. gradm -S
Nothing. No message is displayed when I check for the status.
3. gradm -D
Nothing is displayed, it just prompts me for a password, if I put in the good or bad password the same thing happends.
4. When I start grlearn it learns nothing and furthermore gradm is unable to access /dev/grsec, I figured grlearn uses it so that could be the problem.
# gradm -F -L /etc/grsec/grlog
Could not open /dev/grsec.
open: Input/output error
# ps -ef | grep grlearn
root 32172 1 0 08:21 pts/0 00:00:00 /sbin/grlearn /etc/grsec/grlog
root@darkstar:/etc/grsec# gradm -F -L /etc/grsec/grlog -O /etc/grsec/policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Full learning complete.
The log file is created but it remains 0.
*Note: I compiled without PAM support.
Grsecurity configuration:
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
CONFIG_GRKERNSEC_MID=y
# CONFIG_GRKERNSEC_HI is not set
# CONFIG_GRKERNSEC_CUSTOM is not set
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
# CONFIG_GRKERNSEC_PROC_ADD is not set
# CONFIG_GRKERNSEC_CHROOT_CHMOD is not set
# CONFIG_GRKERNSEC_CHROOT_NICE is not set
# CONFIG_GRKERNSEC_CHROOT_FINDTASK is not set
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
# CONFIG_GRKERNSEC_PAX_ETEXECRELOCS is not set
# CONFIG_GRKERNSEC_PAX_MPROTECT is not set
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
CONFIG_GRKERNSEC_PAX_EI_PAX=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
# CONFIG_GRKERNSEC_PAX_EMUSIGRT is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PAX_SEGMEXEC is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_CHROOT_FCHDIR is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
# CONFIG_GRKERNSEC_RESLOG is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_CHROOT=y
# CONFIG_GRKERNSEC_CHROOT_SHMAT is not set
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
# CONFIG_GRKERNSEC_PAX_RANDKSTACK is not set
# CONFIG_GRKERNSEC_PAX_KERNEXEC is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_SHM is not set
CONFIG_GRKERNSEC_MODSTOP=y
Level: Medium
Question: Is this normal? I saw on posts that when you do "-S" it should tell you whether it is enabled or disabled, and when you do a full system learn it should fill your log, my log files are 0 all the time.
I am running: Slackware 10.1
Kernel version: 2.4.32-grsec
GrAdm version: 2.1.6
I had installation problems with /dev/grsec but I solved it.
crw--w--w- 1 root root 2, 16 2006-12-05 07:25 /dev/grsec
rm /dev/grsec; mknod /dev/grsec c 2 16
It is the only thing I found to avoid the "no such file or directory" problem in "make install". I did gradm -P and I set up a password, and gradm -P admin, and set up an admin role password.
At first everything seemed to work fine but:
1. gradm -E -V
Policy statistics:
-------------------------------------------------------
Role summary:
0 user roles
0 group roles
1 special roles with authentication
0 special roles without authentication
1 admin roles
2 total roles
Subject summary:
0 nested subjects
8 subjects can be killed by outside processes
10 subjects have unprotected shared memory
7 subjects with unrestricted sockets
10 total subjects
Object summary:
0 objects in non-admin roles allow chmod +s
124 total objects
2. gradm -S
Nothing. No message is displayed when I check for the status.
3. gradm -D
Nothing is displayed, it just prompts me for a password, if I put in the good or bad password the same thing happends.
4. When I start grlearn it learns nothing and furthermore gradm is unable to access /dev/grsec, I figured grlearn uses it so that could be the problem.
# gradm -F -L /etc/grsec/grlog
Could not open /dev/grsec.
open: Input/output error
# ps -ef | grep grlearn
root 32172 1 0 08:21 pts/0 00:00:00 /sbin/grlearn /etc/grsec/grlog
root@darkstar:/etc/grsec# gradm -F -L /etc/grsec/grlog -O /etc/grsec/policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Full learning complete.
The log file is created but it remains 0.
*Note: I compiled without PAM support.
Grsecurity configuration:
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
CONFIG_GRKERNSEC_MID=y
# CONFIG_GRKERNSEC_HI is not set
# CONFIG_GRKERNSEC_CUSTOM is not set
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
# CONFIG_GRKERNSEC_PROC_ADD is not set
# CONFIG_GRKERNSEC_CHROOT_CHMOD is not set
# CONFIG_GRKERNSEC_CHROOT_NICE is not set
# CONFIG_GRKERNSEC_CHROOT_FINDTASK is not set
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
# CONFIG_GRKERNSEC_PAX_ETEXECRELOCS is not set
# CONFIG_GRKERNSEC_PAX_MPROTECT is not set
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
CONFIG_GRKERNSEC_PAX_EI_PAX=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
# CONFIG_GRKERNSEC_PAX_EMUSIGRT is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PAX_SEGMEXEC is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_CHROOT_FCHDIR is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
# CONFIG_GRKERNSEC_RESLOG is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_CHROOT=y
# CONFIG_GRKERNSEC_CHROOT_SHMAT is not set
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
# CONFIG_GRKERNSEC_PAX_RANDKSTACK is not set
# CONFIG_GRKERNSEC_PAX_KERNEXEC is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_SHM is not set
CONFIG_GRKERNSEC_MODSTOP=y
Level: Medium
Question: Is this normal? I saw on posts that when you do "-S" it should tell you whether it is enabled or disabled, and when you do a full system learn it should fill your log, my log files are 0 all the time.