grsecurity forums

[darklogik_org]

Greetings.

I am on Slackware -current using a vanilla kernel 2.6.5 (with grsecurity patch).
I selected the Custom security level in the kernel. I made a list of the options compiled in (always a good thing to do with kernels ), which aren't listed here for the sake of not posting a huge thread.

I am using the default ACL now, as I can't find any documentation for this version of grsecurity.
The problem is this: Whenever I activate the RBAC system with gradm, I get this error in the logs:

Code: Select all

May  9 15:05:33 logik kernel: grsec: Loaded grsecurity 2.0
May  9 15:05:33 logik kernel: Cannot read proc file system: 1 - Operation not permitted.


That's not good. Neither is this:

Code: Select all

May  9 15:06:03 logik last message repeated 789827 times
May  9 15:06:31 logik last message repeated 716261 times


Followed by this when disabling RBAC using gradm...

Code: Select all

May  9 15:06:31 logik kernel: grsec: use of CAP_SYS_ADMIN denied for /usr/sbin/klogd[klogd:13523] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
May  9 15:06:31 logik last message repeated 4 times
May  9 15:06:31 logik kernel: grsec: more alerts, logging disabled for 10 seconds
May  9 15:06:31 logik kernel: grsec: use of CAP_SYS_ADMIN denied for /usr/sbin/klogd[klogd:13523] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
May  9 15:06:31 logik last message repeated 4 times


Now, what have I done so spectacularly wrong that this should happen with all the default settings?

mark
http://www.darklogik.org

[Anlar]

Just my humble guess but I bet you are supposed to start with "full learning" as that ACL as the basis. That ACL alone isn't supposed to do anything else than what it actually did for you when you enabled the enforcing.

I would read the comments on the ACL file.

Just my guess. :lol:

[darklogik_org]

Ah. I'm praying for more documentation. I've heard it's on the way.

Essentially, I add a process (such as /usr/local/bin/mozilla) to my acl, then run learning mode. Run the program a few times and this will generate an ACL for that process which I then tweak to my needs?

Correct me if I'm wrong.

Before the hailstorm of RTFM's, I did. The trouble with that is that you don't always GTFM.

mark
http://www.darklogik.org

[bmcmurphy]

fixed it with:

subject /sbin/klogd o {
/ h
/sbin/klogd x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}


Cheers

[darklogik_org]

Thanks.

But...

I'm currently running learning mode. I read from some debian security tutorial that you're supposed to leave it running for about a week or so. It's been going for around 8 hours. Hopefully this will be in the 2.0 docs, as I had no idea of the usage of learning mode until I found that article.

cheers
mark
http://www.darklogik.org

[darklogik_org]

Hmm.. Now I'm in a mess.

I ran the full learning mode for five days (I disabled it today). I was left with a 459mb log file, which I *cannot* parse into a config file (gradm terminates with an out-of-memory error). Now what am I supposed to do?

[Thomas Weinbrenner]

I ran the full learning mode for five days (I disabled it today). I was left with a 459mb log file, which I *cannot* parse into a config file (gradm terminates with an out-of-memory error). Now what am I supposed to do?

I had the same problem. gradm was able to parse it after I removed all duplicate entries using
sort logfile | uniq > logfile2

[voron]

I ran the full learning mode for five days (I disabled it today). I was left with a 459mb log file, which I *cannot* parse into a config file (gradm terminates with an out-of-memory error). Now what am I supposed to do?

I had the same problem. gradm was able to parse it after I removed all duplicate entries using
sort logfile | uniq > logfile2

Maybe this should be reflected in docs, manuals, etc ? This can significaly speedup learning process with same results as with original file. I used sort|uniq for learning log many times without any problems.