Page 1 of 1

Learning mode with grsecurity2/gradm2

PostPosted: Fri Sep 26, 2003 12:27 am
by MichaelN
I currently am using 2.4.22 with grsecurity2 and gradm2. I have searched through the forum for some posts about learning mode, and tried them, but to no success. What is the proper command/syntax for generating acls from learning mode? This is what I currently do:

gradm -D
gradm -F -L /var/log/syslog -O /etc/grsec/new_acls
gradm -E

I run that for about 24 hours, and there _are_ access errors in syslog and I have entries in my acl marked with the learning flag, but it does not produce any acls. Any input would be appericated.

PostPosted: Sat Sep 27, 2003 8:09 pm
by spender
I thought the learning procedure was shown in the default policy?

Here it is again:

<RBAC system should be disabled at this point>
gradm -F -L /etc/grsec/learning.logs
<it's now enabled>
run in this mode for a while
gradm -D
gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/acl

-Brad

PostPosted: Sat Oct 11, 2003 5:16 pm
by gpgkeys
spender wrote:I thought the learning procedure was shown in the default policy?

Here it is again:

<RBAC system should be disabled at this point>
gradm -F -L /etc/grsec/learning.logs
<it's now enabled>
run in this mode for a while
gradm -D
gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/acl

-Brad


I followed your exact steps as they mirror the documentation, with the exception that the -F was not added as it's an exclusion flag to O according to the man page. However, ACLs fail to generate, the file is 0 byte created with 97% CPU usage and roughly 16MB RAM. Process status is RL. Time frame is 25 minute and continuing for processing a 41MB learninglog on a shell server.

What is the average parse time for a 50MB learning log? Is the *entire* acl map generated in memory and *then* spit to the file or does it drop portions to file before 100% generation?

System is a Red Hat 8 + errata + 2.4.22 pristine kernel + grsec2-rc3 + iptables 1.2.8 patch. CPU is 1.26GHz (512k cache) + 1GB RAM.

PostPosted: Sat Oct 11, 2003 6:24 pm
by spender
It's all spit out at once. If you were doing logging on the entire system (ie. you used -F when enabling) then you also need to use -F when generating the learning logs.

-Brad

PostPosted: Sun Oct 12, 2003 7:13 am
by gpgkeys
spender wrote:It's all spit out at once. If you were doing logging on the entire system (ie. you used -F when enabling) then you also need to use -F when generating the learning logs.

-Brad


OK, thanks for clearing that up. The -F appears to be an || not &&/|| with -L && -O

thanks for clearing that up. My little 41MB log took almost 7 hours to complete on my machine only to generate a 33K new_acls. This normal??

(PLease don't say yes, please don't say yes.. crosses fingers)

PostPosted: Sun Oct 12, 2003 9:24 am
by spender
can you do a cat | sort | uniq | wc -l
on the file?

speeding acl generation

PostPosted: Tue Dec 02, 2003 2:07 pm
by niz
I always do 'grep -v your_locate_update_command' to grsecurity 2.0 full learning logs.. that speeds generating lot (3,5mb -> 650kb in filesize as example)