grsecurity forums

Skip to content

'dry-run' complain-only grsec mode feature idea

Discuss and suggest new grsecurity features
Topic locked

'dry-run' complain-only grsec mode feature idea

Postby unclepedro » Sat Nov 05, 2005 6:04 pm

Hi all,

I had a brainstorm the other day -- we generated our ACL with the learning mode to start with, then went over it with a fine toothed comb. Once we got everything set up properly, it's become relatively easy to add new apps and add their ACLs in if we just watched /var/log/grsec.log. See what causes errors, add appropriate ACLs, and restart. This was obviously not a production system.

The downside is obviously that any new features or services would be in various states of brokennes until the new ACLs were created.

Anyway, my brainstorm is that it would be useful to have a mode where grsecurity *acted* like it was running, but was only logging violations without actually blocking anything -- perhaps it could be 'gradm -W' for warn. You'd obviously want to have big warnings in the logs stating that it was in "WARN MODE" or whatever -- but then an administrator could write new rules, re-enable in "warn mode" and debug the rules while users wouldn't even see anything break on a live system. Once "warn mode" stopped generating errors, the rules could be enabled and enforced.

This is obviously a security risk of time-window n while the rules are not being enforced. If the admin is wiling to have the server be 'live' but with grsecurity disabled for as long as it takes to write the new rules (often just a matter of minutes) they could set up new rules without disrupting service at all.

I haven't looked at the code yet to see how hard this would be, but I just thought i'd present it to the forum to see what people think.

Incidentally, in looking at the code (for something else) we noticed the Include directive for ACLs -- we now have all our roles separated in a directory -- apache.role, root.role, default.role -- etc., and these are all included in the first ACL. It makes searching and debugging easy because the filesystem layout matches the logical separation of permissions. Great feature!

unclepedro
unclepedro
 
Posts: 3
Joined: Thu Oct 27, 2005 12:43 pm
Top

Postby spender » Thu Nov 10, 2005 6:32 pm

Grsecurity already has the feature you're requesting. Remember that you can do not just full learning, but learning on a specific role, or also on a specific application. Performing learning on a specific application with a policy already defined will only log the violations for that policy.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity development

Powered by phpBB® Forum Software © phpBB Group