Help me understand log entries
Posted: Wed Oct 02, 2013 3:05 pmHi guys,
Please forgive me as I am new to Grsecurity.
Kernel Version: 2.6.32-60
OS: Debian 6.0.5 64-bit
I recently added Modsecurity to my system that is running Grsecurity. I noticed in the logs a few entries relating to it and I was wondering if someone could help me understand what is going on how and what I need to do to correct it.
[625923.750644] grsec: From 10.240.1.126: (www-data:U:/usr/lib/apache2/mpm-prefork/apache2) denied access to hidden file /etc/apache2/modsecurity/var/tmp/global.dir by /usr/lib/apache2/mpm-prefork/apache2[apache2:1687] uid/euid:33/33 gid/egid:33/33, parent /usr/lib/apache2/mpm-prefork/apache2[apache2:1406] uid/euid:0/0 gid/egid:0/0
There is no documentation online that explains the FORMAT of the logs and what everything means.
Questions:
What does www-data:U:/usr/apache2/mpm-prefork/apache2 mean? www-data is account / username that runs the Apache httpd daemon
What does :U mean?
What does parent /usr/lib/apache2/mpm-prefork/apache2{apache2:1406} mean?
From what I understand the Subject (www-data:U:/usr/lib/apache2/mpm-prefork/apache2 is trying to access the Object (/etc/apache2/modsecurity/var/tmp/global.dir and was denied access. Is this correct? If so, what do I do to correct this error in my /etc/grsec/policy file.
I have grsecurity setup for split-roles to make troubleshooting much easier. In in /etc/grsec/users/ directory the policy is broken down by username such as Debian-exim, mysql, nobody, root, sshd, www-data , messagebus etc. Am i correct in assuming that I need to edit /etc/grsec/users/www-data and make adjustments to the "subject /usr/lib/apache2/mpm-prefork/apache2" line?
After I make the change, do I just re-enable the system and the new changes take effect?
thanks everyone for your support and taking the time to read this and helping me understand Grsecurity a lot more.
cheers
Please forgive me as I am new to Grsecurity.
Kernel Version: 2.6.32-60
OS: Debian 6.0.5 64-bit
I recently added Modsecurity to my system that is running Grsecurity. I noticed in the logs a few entries relating to it and I was wondering if someone could help me understand what is going on how and what I need to do to correct it.
[625923.750644] grsec: From 10.240.1.126: (www-data:U:/usr/lib/apache2/mpm-prefork/apache2) denied access to hidden file /etc/apache2/modsecurity/var/tmp/global.dir by /usr/lib/apache2/mpm-prefork/apache2[apache2:1687] uid/euid:33/33 gid/egid:33/33, parent /usr/lib/apache2/mpm-prefork/apache2[apache2:1406] uid/euid:0/0 gid/egid:0/0
There is no documentation online that explains the FORMAT of the logs and what everything means.
Questions:
What does www-data:U:/usr/apache2/mpm-prefork/apache2 mean? www-data is account / username that runs the Apache httpd daemon
What does :U mean?
What does parent /usr/lib/apache2/mpm-prefork/apache2{apache2:1406} mean?
From what I understand the Subject (www-data:U:/usr/lib/apache2/mpm-prefork/apache2 is trying to access the Object (/etc/apache2/modsecurity/var/tmp/global.dir and was denied access. Is this correct? If so, what do I do to correct this error in my /etc/grsec/policy file.
I have grsecurity setup for split-roles to make troubleshooting much easier. In in /etc/grsec/users/ directory the policy is broken down by username such as Debian-exim, mysql, nobody, root, sshd, www-data , messagebus etc. Am i correct in assuming that I need to edit /etc/grsec/users/www-data and make adjustments to the "subject /usr/lib/apache2/mpm-prefork/apache2" line?
After I make the change, do I just re-enable the system and the new changes take effect?
thanks everyone for your support and taking the time to read this and helping me understand Grsecurity a lot more.
cheers