I currently am using 2.4.22 with grsecurity2 and gradm2. I have searched through the forum for some posts about learning mode, and tried them, but to no success. What is the proper command/syntax for generating acls from learning mode? This is what I currently do:
gradm -D
gradm -F -L /var/log/syslog -O /etc/grsec/new_acls
gradm -E
I run that for about 24 hours, and there _are_ access errors in syslog and I have entries in my acl marked with the learning flag, but it does not produce any acls. Any input would be appericated.
Learning mode with grsecurity2/gradm2
7 posts
• Page 1 of 1
Learning mode with grsecurity2/gradm2
by MichaelN » Fri Sep 26, 2003 12:27 am
- MichaelN
- Posts: 9
- Joined: Wed Sep 24, 2003 8:07 pm
by spender » Sat Sep 27, 2003 8:09 pm
I thought the learning procedure was shown in the default policy?
Here it is again:
<RBAC system should be disabled at this point>
gradm -F -L /etc/grsec/learning.logs
<it's now enabled>
run in this mode for a while
gradm -D
gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/acl
-Brad
Here it is again:
<RBAC system should be disabled at this point>
gradm -F -L /etc/grsec/learning.logs
<it's now enabled>
run in this mode for a while
gradm -D
gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/acl
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by gpgkeys » Sat Oct 11, 2003 5:16 pm
spender wrote:I thought the learning procedure was shown in the default policy?
Here it is again:
<RBAC system should be disabled at this point>
gradm -F -L /etc/grsec/learning.logs
<it's now enabled>
run in this mode for a while
gradm -D
gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/acl
-Brad
I followed your exact steps as they mirror the documentation, with the exception that the -F was not added as it's an exclusion flag to O according to the man page. However, ACLs fail to generate, the file is 0 byte created with 97% CPU usage and roughly 16MB RAM. Process status is RL. Time frame is 25 minute and continuing for processing a 41MB learninglog on a shell server.
What is the average parse time for a 50MB learning log? Is the *entire* acl map generated in memory and *then* spit to the file or does it drop portions to file before 100% generation?
System is a Red Hat 8 + errata + 2.4.22 pristine kernel + grsec2-rc3 + iptables 1.2.8 patch. CPU is 1.26GHz (512k cache) + 1GB RAM.
- gpgkeys
- Posts: 2
- Joined: Sat Oct 11, 2003 5:10 pm
by gpgkeys » Sun Oct 12, 2003 7:13 am
spender wrote:It's all spit out at once. If you were doing logging on the entire system (ie. you used -F when enabling) then you also need to use -F when generating the learning logs.
-Brad
OK, thanks for clearing that up. The -F appears to be an || not &&/|| with -L && -O
thanks for clearing that up. My little 41MB log took almost 7 hours to complete on my machine only to generate a 33K new_acls. This normal??
(PLease don't say yes, please don't say yes.. crosses fingers)
- gpgkeys
- Posts: 2
- Joined: Sat Oct 11, 2003 5:10 pm
speeding acl generation
by niz » Tue Dec 02, 2003 2:07 pm
I always do 'grep -v your_locate_update_command' to grsecurity 2.0 full learning logs.. that speeds generating lot (3,5mb -> 650kb in filesize as example)
- niz
- Posts: 19
- Joined: Mon Sep 09, 2002 6:12 am
7 posts
• Page 1 of 1