Large learning log
Posted: Tue Sep 21, 2004 10:00 amHello. We are considering rolling out grsec on our new servers (whenever we actually get them) and I am trying to test run grsec on a test server we have been using. We have a lot going on here with users ftping and using afpd all day. After running gradm2 in full learning mode overnight it generated a log of 22MB (not huge, but big). Now whenever I try to generate an ACL from the log gradm2 gives a good deal of output and then just seems to continue working to no end (I let it go for about 1 hour while doing others things).
I basically followed the quickstart guide commands wise, using:
gradm -F -L /etc/grsec/learning.log
and then,
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/ac
which outputs....
Beginning full learning subject reduction for user root...done.MMAND
Beginning full learning subject reduction for user andy...done.adm
Beginning full learning subject reduction for user www-data...done.0
Beginning full learning subject reduction for user mysql...done.
Beginning full learning subject reduction for user mail...done.it
Beginning full learning subject reduction for user Debian-exim...done./0
Beginning full learning subject reduction for user ljcatalog...done.0
Beginning full learning subject reduction for user nobody...done.per
Beginning full learning subject reduction for user man...done.acpid
Beginning full learning 3rd pass...done. 0.0 0.0 0:00.24 kblockd/0
Beginning full learning object reduction for subject /...done.dflush
Beginning full learning object reduction for subject /bin/bash...done.
Beginning full learning object reduction for subject /bin/chgrp...done.
Beginning full learning object reduction for subject /bin/chmod...done.
Beginning full learning object reduction for subject /bin/chown...done.
Beginning full learning object reduction for subject /bin/cp...done.s/0
Beginning full learning object reduction for subject /bin/gzip...done.
Beginning full learning object reduction for subject /bin/ln...done.
Beginning full learning object reduction for subject /bin/ls...done.
Beginning full learning object reduction for subject /bin/mv...done.
Beginning full learning object reduction for subject /bin/rm...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /bin/touch...done.e
Beginning full learning object reduction for subject /etc/cron.daily/exim4-base...done.
Beginning full learning object reduction for subject /sbin/start-stop-daemon...done.
Beginning full learning object reduction for subject /sbin/syslogd...done.
Beginning full learning object reduction for subject /tmp/logrotate.EIgEdT...done.
Beginning full learning object reduction for subject /usr/bin/logger...done.
Beginning full learning object reduction for subject /usr/bin/mysql...done.
Beginning full learning object reduction for subject /usr/bin/mysqladmin...done.
Beginning full learning object reduction for subject /usr/bin/updatedb...done.
Beginning full learning object reduction for subject /usr/sbin/afpd...done.
Beginning full learning object reduction for subject /usr/sbin/crack_packer...done.
Beginning full learning object reduction for subject /usr/sbin/cron...done.
Beginning full learning object reduction for subject /usr/sbin/exim4...done.
Beginning full learning object reduction for subject /usr/sbin/logrotate...done.
Beginning full learning object reduction for subject /usr/sbin/ntpdate...done.
Beginning full learning object reduction for subject /usr/sbin/sshd...done.
Beginning full learning object reduction for subject /usr/sbin/vsftpd...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /usr/sbin/apache...done.
Beginning full learning object reduction for subject /usr/sbin/mysqld...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /usr/sbin/exim4...done.
Beginning full learning object reduction for subject /usr/sbin/exim_tidydb...done.
Beginning full learning object reduction for subject /usr/sbin/vsftpd...done.
Beginning full learning object reduction for subject /...
It does all that in the first minute and then sits with 99% CPU for (at least) an hour.
It seems like a rather trivial issue but I was unable to find a good answer on the website on googling. Can anyone point out what I'm doing wrong here?
Kernel: Linux 2.6.7-grsec (Debian unstable)
EDIT: I also tested it by letting full learning run for a few minutes and build a 20k log file. gradm2 was able to make an ACL out of that just fine.
I basically followed the quickstart guide commands wise, using:
gradm -F -L /etc/grsec/learning.log
and then,
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/ac
which outputs....
Beginning full learning subject reduction for user root...done.MMAND
Beginning full learning subject reduction for user andy...done.adm
Beginning full learning subject reduction for user www-data...done.0
Beginning full learning subject reduction for user mysql...done.
Beginning full learning subject reduction for user mail...done.it
Beginning full learning subject reduction for user Debian-exim...done./0
Beginning full learning subject reduction for user ljcatalog...done.0
Beginning full learning subject reduction for user nobody...done.per
Beginning full learning subject reduction for user man...done.acpid
Beginning full learning 3rd pass...done. 0.0 0.0 0:00.24 kblockd/0
Beginning full learning object reduction for subject /...done.dflush
Beginning full learning object reduction for subject /bin/bash...done.
Beginning full learning object reduction for subject /bin/chgrp...done.
Beginning full learning object reduction for subject /bin/chmod...done.
Beginning full learning object reduction for subject /bin/chown...done.
Beginning full learning object reduction for subject /bin/cp...done.s/0
Beginning full learning object reduction for subject /bin/gzip...done.
Beginning full learning object reduction for subject /bin/ln...done.
Beginning full learning object reduction for subject /bin/ls...done.
Beginning full learning object reduction for subject /bin/mv...done.
Beginning full learning object reduction for subject /bin/rm...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /bin/touch...done.e
Beginning full learning object reduction for subject /etc/cron.daily/exim4-base...done.
Beginning full learning object reduction for subject /sbin/start-stop-daemon...done.
Beginning full learning object reduction for subject /sbin/syslogd...done.
Beginning full learning object reduction for subject /tmp/logrotate.EIgEdT...done.
Beginning full learning object reduction for subject /usr/bin/logger...done.
Beginning full learning object reduction for subject /usr/bin/mysql...done.
Beginning full learning object reduction for subject /usr/bin/mysqladmin...done.
Beginning full learning object reduction for subject /usr/bin/updatedb...done.
Beginning full learning object reduction for subject /usr/sbin/afpd...done.
Beginning full learning object reduction for subject /usr/sbin/crack_packer...done.
Beginning full learning object reduction for subject /usr/sbin/cron...done.
Beginning full learning object reduction for subject /usr/sbin/exim4...done.
Beginning full learning object reduction for subject /usr/sbin/logrotate...done.
Beginning full learning object reduction for subject /usr/sbin/ntpdate...done.
Beginning full learning object reduction for subject /usr/sbin/sshd...done.
Beginning full learning object reduction for subject /usr/sbin/vsftpd...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /usr/sbin/apache...done.
Beginning full learning object reduction for subject /usr/sbin/mysqld...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /usr/sbin/exim4...done.
Beginning full learning object reduction for subject /usr/sbin/exim_tidydb...done.
Beginning full learning object reduction for subject /usr/sbin/vsftpd...done.
Beginning full learning object reduction for subject /...
It does all that in the first minute and then sits with 99% CPU for (at least) an hour.
It seems like a rather trivial issue but I was unable to find a good answer on the website on googling. Can anyone point out what I'm doing wrong here?
Kernel: Linux 2.6.7-grsec (Debian unstable)
EDIT: I also tested it by letting full learning run for a few minutes and build a 20k log file. gradm2 was able to make an ACL out of that just fine.
