grsecurity forums

i have specified kernel auditing to log everything on the group 1002 (shellusers) but it dont log anything from them.... not in /var/log/messages or /var/log/syslog even.

anybody?

Check your syslog.conf, and look for a rule on kern.info or kern.*, and see where the auditing logs are being output.

-Brad

spender wrote:Check your syslog.conf, and look for a rule on kern.info or kern.*, and see where the auditing logs are being output.

-Brad

it stands
kern.* -/var/log/kern.log

but they are not there...

Can you paste your config?
You might have enabled sysctl support and forgotten to enable the various options/set the GIDs.

-Brad

spender wrote:Can you paste your config?
You might have enabled sysctl support and forgotten to enable the various options/set the GIDs.

-Brad

# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole

Sorry, I meant the grsecurity portion of your kernel config.

-Brad

spender wrote:Sorry, I meant the grsecurity portion of your kernel config.

-Brad

where do i find that?

In your kernel source tree, the file is named ".config"

ls /proc/sys/kernel/grsecurity

Will also tell me what I needed to know.

-Brad

spender wrote:In your kernel source tree, the file is named ".config"

ls /proc/sys/kernel/grsecurity

Will also tell me what I needed to know.

-Brad

debian:~# ls /proc/sys/kernel/grsecurity
acl audit_ipc fifo_restrictions signal_logging
audit_chdir audit_mount forkfail_logging timechange_logging
audit_gid chroot_execlog grsec_lock
audit_group exec_logging linking_restrictions

Here you will find the kernel config
http://blackout.ath.cx/~frankcc/.config

please help me, i really need to get this working.

i tryed to cat everything in /proc/sys/kernel/grsecurity

and the output was "0" on all of the files.

Go back and read the kernel configuration help for the sysctl option. You need to echo 1 to the features you want to enable, and echo a gid to the options with "gid" in their name, to set the gid to operate on for the particular feature.

-Brad

well, how do i do that? i have read the acl things...

debian:/proc/sys/kernel/grsecurity# echo 1002 audit_group
1002 audit_group
debian:/proc/sys/kernel/grsecurity# cat audit_group
0

Try this:
echo 1002 > /proc/sys/kernel/grsecurity/audit_group


Don't forget the '>' sign!!!

lol, cant believe i forgot that.

but it still dont work...

You only echo a gid to the entries with "gid" in their name. For that one, you echo a 1 to it to enable the gid-based auditing.

-Brad