Hi guys,
Please forgive me as I am new to Grsecurity.
Kernel Version: 2.6.32-60
OS: Debian 6.0.5 64-bit
I recently added Modsecurity to my system that is running Grsecurity. I noticed in the logs a few entries relating to it and I was wondering if someone could help me understand what is going on how and what I need to do to correct it.
[625923.750644] grsec: From 10.240.1.126: (www-data:U:/usr/lib/apache2/mpm-prefork/apache2) denied access to hidden file /etc/apache2/modsecurity/var/tmp/global.dir by /usr/lib/apache2/mpm-prefork/apache2[apache2:1687] uid/euid:33/33 gid/egid:33/33, parent /usr/lib/apache2/mpm-prefork/apache2[apache2:1406] uid/euid:0/0 gid/egid:0/0
There is no documentation online that explains the FORMAT of the logs and what everything means.
Questions:
What does www-data:U:/usr/apache2/mpm-prefork/apache2 mean? www-data is account / username that runs the Apache httpd daemon
What does :U mean?
What does parent /usr/lib/apache2/mpm-prefork/apache2{apache2:1406} mean?
From what I understand the Subject (www-data:U:/usr/lib/apache2/mpm-prefork/apache2 is trying to access the Object (/etc/apache2/modsecurity/var/tmp/global.dir and was denied access. Is this correct? If so, what do I do to correct this error in my /etc/grsec/policy file.
I have grsecurity setup for split-roles to make troubleshooting much easier. In in /etc/grsec/users/ directory the policy is broken down by username such as Debian-exim, mysql, nobody, root, sshd, www-data , messagebus etc. Am i correct in assuming that I need to edit /etc/grsec/users/www-data and make adjustments to the "subject /usr/lib/apache2/mpm-prefork/apache2" line?
After I make the change, do I just re-enable the system and the new changes take effect?
thanks everyone for your support and taking the time to read this and helping me understand Grsecurity a lot more.
cheers
Help me understand log entries
2 posts
• Page 1 of 1
Help me understand log entries
by grsecurityrocks » Wed Oct 02, 2013 3:05 pm
- grsecurityrocks
- Posts: 1
- Joined: Wed Oct 02, 2013 12:16 pm
Re: Help me understand log entries
by ldunston » Thu Oct 10, 2013 8:11 pm
Heh, log entries can be daunting at first but they are pretty easy once you get the hang of them.
I don't know all of the answers you posted but here's what I do know:
You have a subject /usr/lib/apache2/mpm-prefork/apache2 which denied access to a hidden file /etc/apache2/modsecurity/var/tmp/global.dir. The process attempting to access that file was /usr/lib/apache2/mpm-prefork/apache2[apache2:1687]. That process that was blocked was a child of /usr/lib/apache2/mpm-prefork/apache2[apache2:1406].
To fix the deny you'll have to add access to the denied file in the apache2 subject like this:
/etc/apache2/modsecurity/var/tmp/global.dir r
(I'm not sure which type of access is needed but assuming read access)
I don't know all of the answers you posted but here's what I do know:
You have a subject /usr/lib/apache2/mpm-prefork/apache2 which denied access to a hidden file /etc/apache2/modsecurity/var/tmp/global.dir. The process attempting to access that file was /usr/lib/apache2/mpm-prefork/apache2[apache2:1687]. That process that was blocked was a child of /usr/lib/apache2/mpm-prefork/apache2[apache2:1406].
To fix the deny you'll have to add access to the denied file in the apache2 subject like this:
/etc/apache2/modsecurity/var/tmp/global.dir r
(I'm not sure which type of access is needed but assuming read access)
- ldunston
- Posts: 10
- Joined: Mon Dec 03, 2012 2:28 pm
2 posts
• Page 1 of 1