grsecurity forums

Hello
I having troubel to get it to work, dont find any information about hwo to put it in learning mode, or what learning mode does?
Do I have to sit and fill in evrey file like
that daemon got that logfile and so on?

it seems when i cativate the logging there is like many things that is coredumping...

For information about learning mode take a look at chaper VI of the documentation. http://www.grsecurity.org/gracldoc.htm

If you will build good ACLs it is better to create separate ACLs for all deamons. The use of inheritance maybe helpful there.

Moony

I cant get it to work
apache
gradm -T l /usr/sbin/apache
gradm -E
apache (and run som requests to it)
killall -9 apache
apache (continue)
gradm -a
gradm -L -O /etc/grsec/acl

why doesnt it work?

grep your kernel logs for LEARN. If you're not seeing anything, then there's something wrong with your syslog.

-Brad

and also make sure that apache has the "l" flag in its subject mode. Otherwise, no learning will be done for it.

-Brad

I dont get it at all, i use my kernellog file with grsec lines know but nothing, am i stupid or?
Dec 13 16:17:31 [kernel] grsec: LEARN:771:2:771:130309:/tmp/session_mm_apache0.mem:8
Dec 13 16:17:33 [kernel] grsec: LEARN:771:2:4:360448:/SYSV00000000 (deleted):8

i get that, nothing else...

are you using syslog-ng? it looks like your logfile format is different than what the acl system is expecting....specifically the brackets around "kernel".

-Brad

spender wrote:are you using syslog-ng? it looks like your logfile format is different than what the acl system is expecting....specifically the brackets around "kernel".

-Brad

No i am using Metalog, so i can use regexp and there directorystructure... so you mena I cant user Learn?

I'm adding support for it right now.

-Brad

ok, I've added rules for metalog and syslogng in the current CVS. check it out and let me know how it works.

-Brad

spender wrote:ok, I've added rules for metalog and syslogng in the current CVS. check it out and let me know how it works.

-Brad

Ok, downloading the CVS now, damn runnig debian

how should i do dpkg --purge gradm first and tehn compile?

root@kjamiz: ~ > gradm -E
Error writing to /proc/sys/kernel/grsecurity/acl
write: Invalid argument

root@kjamiz: ~ > Dec 13 17:27:40 [kernel] grsec: Proc handler: being fed garbage 200 bytes sent 160 required

root@kjamiz: ~ > gradm -D
Password:
Error writing to /proc/sys/kernel/grsecurity/acl
write: Invalid argument

oh...you need to use 1.9.8-rc1 or current cvs of grsecurity as well. If you don't want to upgrade yet, just look at the change I made to gradm_learner.l, and make a similar change to the gradm-1.6a.tar.gz code you have

-Brad

spender wrote:oh...you need to use 1.9.8-rc1 or current cvs of grsecurity as well. If you don't want to upgrade yet, just look at the change I made to gradm_learner.l, and make a similar change to the gradm-1.6a.tar.gz code you have

-Brad

i dont have the code i made apt-get install gradm before but im downloading the new grsecurity to...

whats the new improvments?
does it work on 2.4.19? or is there a kerenl with in the cvs?

many improvements from 1.9.7. If you're subscribed to the mailing list, I made pretty frequent announcements about new features in the code. There's too many to restate here. The news page covers some of them as well.

-Brad