Hi all,
I'm currently working on preparing our SIEM tool to alert on various grsecurity messages - I would be very grateful if someone could help me shortcut dealing with all of the different conditions/messages by sharing copies of their logs with me. I've already got a Debian system with 3.2.7 kernel + grsec 2.9 having messages redirected by rsyslog into a specific grsecurity.log file and have grabbed the mount/chdir/exec/time set messages OK (now working on some ACLs), but creating messages for each of the cases in DEFINE GR_*_MSG I think is going to take me ages.
I appreciate that people may not want to share real logs from their production systems, but perhaps some from a test/dev platform with any IPs changed out for fakes?
Cheers,
shepherd
Sample grsecurity logs?
7 posts
• Page 1 of 1
Sample grsecurity logs?
by shepherd » Tue Feb 28, 2012 9:28 am
- shepherd
- Posts: 5
- Joined: Thu Feb 16, 2012 8:36 am
Re: Sample grsecurity logs?
by spender » Tue Feb 28, 2012 11:02 am
Are you creating regexes of the log formats or something? Many years ago I wrote all these up for prelude-ids. Some of the entries will be out of date, but many should still be accurate.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Sample grsecurity logs?
by shepherd » Tue Feb 28, 2012 11:59 am
Hi Brad,
Yes, creating regexes. Thanks for the heads up on Prelude. I pulled the source package from Debian and found the grsecurity.rules file in there. There are some log examples in there I can test with too.
If I can cobble together some testing scripts then I can check my parsing rules are working OK... can you recommend any tools which can automate the generation of some/all of the conditions grsecurity hardens against (and therefore generates the log message)?
Many thanks for your help,
shepherd
Yes, creating regexes. Thanks for the heads up on Prelude. I pulled the source package from Debian and found the grsecurity.rules file in there. There are some log examples in there I can test with too.
If I can cobble together some testing scripts then I can check my parsing rules are working OK... can you recommend any tools which can automate the generation of some/all of the conditions grsecurity hardens against (and therefore generates the log message)?
Many thanks for your help,
shepherd
- shepherd
- Posts: 5
- Joined: Thu Feb 16, 2012 8:36 am
Re: Sample grsecurity logs?
by spender » Tue Feb 28, 2012 2:57 pm
For starters:
http://cvsweb.grsecurity.net/?p=regress ... ;a=summary
I'll also run my RBAC regression tests and give you the logs from that.
-Brad
http://cvsweb.grsecurity.net/?p=regress ... ;a=summary
I'll also run my RBAC regression tests and give you the logs from that.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Sample grsecurity logs?
by spender » Tue Feb 28, 2012 8:31 pm
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Sample grsecurity logs?
by shepherd » Wed Feb 29, 2012 9:23 am
Brad,
Thank you very much for all of that - really useful and has saved me considerable time and effort.
I've picked up something for you off your Amazon wishlist to say thanks - have sent you a separate e-mail on that.
Cheers!
Thank you very much for all of that - really useful and has saved me considerable time and effort.
I've picked up something for you off your Amazon wishlist to say thanks - have sent you a separate e-mail on that.
Cheers!
- shepherd
- Posts: 5
- Joined: Thu Feb 16, 2012 8:36 am
Re: Sample grsecurity logs?
by spender » Wed Feb 29, 2012 9:36 am
Thanks sir! Much appreciated! Don't forget that any log can be prepended with the "From %u.%u.%u.%u:" that you've probably already seen. Also, most RBAC messages that have "denied" in them can have "successful" substituted in the case of auditing.
You can also run paxtest to get some of the logs from PaX.
-Brad
You can also run paxtest to get some of the logs from PaX.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
7 posts
• Page 1 of 1