Process accounting

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Process accounting

Postby kerberos » Fri Dec 16, 2005 5:35 pm

Hips,

I'm about to send one of my server out in big world, and offer shell access for good friends and not so good friends for various needs.

I had set up and enabled process accounting with accton, and it was working just fine. Then I thought that I need bigger security, and decided to get grsecurity running.
Then problems started. I suppose some option in grsecurity destroys output for accton which logs into /var/log/pacct, and thus makes unusable everything in there.

I have tried to google around and searched forums how to correct this behaviour, but not seeing any help. All I find is that grsecurity has process accounting itself, but not too good documentation what I can do with it.

What I am looking is something similar as lastcomm from that old process accounting, which can be used to check commands executed per user.

Is anyone ran into similar troubles, or can anyone tell me how I should use grsecurity process accounting, or what I can use to easily check what users do on my server?
kerberos
 
Posts: 2
Joined: Fri Dec 16, 2005 5:28 pm

Postby spender » Sat Dec 17, 2005 6:56 pm

Did you enable process accounting in the kernel configuration when you built your grsecurity-enabled kernel? Grsecurity shouldn't have any effect on process accounting.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

config

Postby kerberos » Mon Dec 19, 2005 2:17 am

Yes, I did enable process accounting:

Code: Select all
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y


This is how things were working just fine before I started to work with grsecurity.

Here is my grsec choises:

Code: Select all
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
# CONFIG_GRKERNSEC_BIGMEM is not set
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=60

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=150
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
# CONFIG_GRKERNSEC_CHROOT_MOUNT is not set
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y

#
# Executable Protections
#
# CONFIG_GRKERNSEC_EXECVE is not set
# CONFIG_GRKERNSEC_SHM is not set
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=151
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=152
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=153

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
# CONFIG_PAX is not set
# CONFIG_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=m
# CONFIG_SECURITY_ROOTPLUG is not set
# CONFIG_SECURITY_SECLVL is not set
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
# CONFIG_SECURITY_SELINUX_MLS is not set



Those are my security related config options in kernel config.

If I use lastcomm command, I get just this kind of output:
4? root ?? 0.00 secs Thu Jan 1 02:00
?? root ?? 0.00 secs Thu Jan 1 02:00


Just question marks, and clock is all the same for all. Only difference is for about first 50 entries, there is like this:

|? 34816 ?? 1.00 secs Thu Jan 1 02:16
?? 34816 ?? 1.00 secs Thu Jan 1 02:16

So time is a bit different for few entries, and then not root but 34816.

Does this give any ideas what I should turn on, or turn off?
kerberos
 
Posts: 2
Joined: Fri Dec 16, 2005 5:28 pm


Return to grsecurity support

cron