grsecurity forums

Kernel: 2.4.20
Grsec: 1.9.8-rc2
Gradm: 1.6-rc2
No other patches

I'm calling this a learning disability because learning seems to work for some programs, but not others. Even on programs it does work on, some things still do not show up, even though they show up in syslog.

I have a machine setup with the following:
Apache
MySQL (localhost)
Messagewall
Postfix (localhost)
Openssh
xinetd
imapd

For each of those daemons, I set up a minimal acl as follows:

Code: Select all

/path/to/binary lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}


I then enabled my ACL system, stopped and restarted all the daemons ,listed above and let them run over the course of 3 days. during that time, I also stopped and started each of the daemons several times.

After 3 days, I performed the following:

Code: Select all

grep LEARN /var/log/messages | perl -pe 's/From \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}: //o' >LEARN
gradm -L LEARN -O learning


(The perl is mainly due to the fact that some "From #.#.#.#: " entries are still showing up in the LEARN entries, and gradm doesn't recognise them. )

The 'LEARN' file output is about 3Mb in size.

When I examine the 'learning' acl file, the only daemons that have any content are apache and mysql. The MySQL output is very complete, but the apache looks complete until I noticed that:

Code: Select all

bind {
disabled
}


and lsof outputs:

Code: Select all

httpd      1641   root   19u  IPv4 152860       TCP *:https (LISTEN)
httpd      1641   root   20u  IPv4 152861       TCP *:http (LISTEN)


When I tried to find the bind's in the log, I think noticed that everything that binds to 0.0.0.0:xx does not properly show the port number in the LEARN log entries... for example:

Code: Select all

# grep :0.0.0.0: LEARN
... cut several hundard lines...
Dec 20 11:42:25 icarus kernel: grsec: LEARN:18434:538986:0.0.0.0:0:2:17:1
Dec 20 12:08:25 icarus kernel: grsec: LEARN:18434:538986:0.0.0.0:0:2:17:1
Dec 20 12:20:05 icarus kernel: grsec: LEARN:18434:538986:0.0.0.0:0:2:17:1
Dec 20 13:06:26 icarus kernel: grsec: LEARN:18434:538986:0.0.0.0:0:2:17:1
(note no port numbers... this is common for everything that was returned)

#grep :127.0.0.1: LEARN
Dec 17 22:43:50 icarus kernel: grsec: LEARN:18434:342991:127.0.0.1:3306:1:6:1
Dec 17 22:45:03 icarus kernel: grsec: LEARN:18434:342991:127.0.0.1:3306:1:6:1
...cut several hundred lines...

#grep :172.19.151.20: LEARN | tail
Dec 17 22:46:44 icarus kernel: grsec: LEARN:18434:538986:172.19.151.20:25:1:6:1
Dec 17 23:13:14 icarus kernel: grsec: LEARN:18434:538986:172.19.151.20:25:1:6:1
Dec 17 23:13:33 icarus kernel: grsec: LEARN:18434:538986:172.19.151.20:25:1:6:1


The other daemons have output ACL's that looks like:

Code: Select all

/path/to/binary o {
        /path/to/binary x
        / h
        -CAP_ALL
        RES_FSIZE 0 0
        RES_DATA 0 0
        RES_STACK 0 0
        RES_RSS 0 0

        RES_NPROC 0 0
        RES_NOFILE 0 0
        RES_MEMLOCK 0 0
        RES_AS 0 0
        RES_LOCKS 0 0

        connect {
                disabled
        }

        bind {
                disabled
        }


Which Is funny because I can find hundreds of corresponding matches for files for each one of them in the LEARN file.

Anyone have any ideas?

Thanks,
Mike

Hi all,
i have the identical problem of dermike, im using debian woody and grsec was set to "medium" level.

Any help will be appreciated.

Try out the current CVS of gradm and grsecurity. I've fixed all reported problems related to the learning mode.

-Brad