Help me understand log entries

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Help me understand log entries

Postby grsecurityrocks » Wed Oct 02, 2013 3:05 pm

Hi guys,

Please forgive me as I am new to Grsecurity.

Kernel Version: 2.6.32-60
OS: Debian 6.0.5 64-bit

I recently added Modsecurity to my system that is running Grsecurity. I noticed in the logs a few entries relating to it and I was wondering if someone could help me understand what is going on how and what I need to do to correct it.

[625923.750644] grsec: From 10.240.1.126: (www-data:U:/usr/lib/apache2/mpm-prefork/apache2) denied access to hidden file /etc/apache2/modsecurity/var/tmp/global.dir by /usr/lib/apache2/mpm-prefork/apache2[apache2:1687] uid/euid:33/33 gid/egid:33/33, parent /usr/lib/apache2/mpm-prefork/apache2[apache2:1406] uid/euid:0/0 gid/egid:0/0

There is no documentation online that explains the FORMAT of the logs and what everything means.

Questions:
What does www-data:U:/usr/apache2/mpm-prefork/apache2 mean? www-data is account / username that runs the Apache httpd daemon
What does :U mean?
What does parent /usr/lib/apache2/mpm-prefork/apache2{apache2:1406} mean?

From what I understand the Subject (www-data:U:/usr/lib/apache2/mpm-prefork/apache2 is trying to access the Object (/etc/apache2/modsecurity/var/tmp/global.dir and was denied access. Is this correct? If so, what do I do to correct this error in my /etc/grsec/policy file.

I have grsecurity setup for split-roles to make troubleshooting much easier. In in /etc/grsec/users/ directory the policy is broken down by username such as Debian-exim, mysql, nobody, root, sshd, www-data , messagebus etc. Am i correct in assuming that I need to edit /etc/grsec/users/www-data and make adjustments to the "subject /usr/lib/apache2/mpm-prefork/apache2" line?

After I make the change, do I just re-enable the system and the new changes take effect?

thanks everyone for your support and taking the time to read this and helping me understand Grsecurity a lot more.

cheers
grsecurityrocks
 
Posts: 1
Joined: Wed Oct 02, 2013 12:16 pm

Re: Help me understand log entries

Postby ldunston » Thu Oct 10, 2013 8:11 pm

Heh, log entries can be daunting at first but they are pretty easy once you get the hang of them.

I don't know all of the answers you posted but here's what I do know:

You have a subject /usr/lib/apache2/mpm-prefork/apache2 which denied access to a hidden file /etc/apache2/modsecurity/var/tmp/global.dir. The process attempting to access that file was /usr/lib/apache2/mpm-prefork/apache2[apache2:1687]. That process that was blocked was a child of /usr/lib/apache2/mpm-prefork/apache2[apache2:1406].

To fix the deny you'll have to add access to the denied file in the apache2 subject like this:

/etc/apache2/modsecurity/var/tmp/global.dir r

(I'm not sure which type of access is needed but assuming read access)
ldunston
 
Posts: 10
Joined: Mon Dec 03, 2012 2:28 pm


Return to grsecurity support