Hi all,
I have a problem with grsecurity 2.1.8 (kernel 2.6.14) and iptables version 1.2.11: since installing the grsecurity patch and gradm, iptables does not log to syslog anymore. Console logging still works and the messages are present in the kernel ring buffer (dmesg), but the kernel facility in syslog does not receive the messages from iptables specified with --LOG target anymore, no matter what priority I specify.
Has anyone ever experienced something similar before? Where should I go looking? I tweaked with kernel.printk, syslog.conf and the iptables LOG statement, but I'm quite stuck right now... Thanks for any hint!
Greetings,
Kilian
iptables not logging via syslog after installing grsecurity
5 posts
• Page 1 of 1
iptables not logging via syslog after installing grsecurity
by kiliber » Tue Jun 13, 2006 9:35 am
- kiliber
- Posts: 2
- Joined: Tue Jun 13, 2006 9:15 am
by Kp » Tue Jun 13, 2006 9:48 pm
I haven't seen this problem, but based on your description, syslog is unable to retrieve messages from the kernel. If you stop and restart syslog, do you see anything in dmesg from grsec about blocking syslog? Do you get any other kernel messages in your syslog output (for instance, grsec's alerts about policy violations)? What is your policy for the syslog daemon? Did you write it yourself or did you use the learning mode to create it? If you used learning mode, how long did you let it learn before you created the policy?
- Kp
- Posts: 46
- Joined: Tue Sep 20, 2005 12:56 am
by kiliber » Wed Jun 14, 2006 4:31 am
If I restart syslog, I don't see anything about grsec blocking syslog. And I do not get any other kernel messages in my syslog output.
About the policy: I used the learning mode as described in the Quickstart Guide, doing:
and after one day
now: do I need to copy this file /etc/grsec/acl over /etc/grsec/policy? I am not very clear about this..There exists a /etc/grsec/policy, but I did not create this file.
And yes, the LOG target is compiled into the kernel.
Thanks a lot for your help!
Greetings,
Kilian
About the policy: I used the learning mode as described in the Quickstart Guide, doing:
- Code: Select all
$ gradm -F -L /etc/grsec/learning.log
and after one day
- Code: Select all
$ gradm -F -L /etc/grsec/learning.log -O /etc/grsec/acl
now: do I need to copy this file /etc/grsec/acl over /etc/grsec/policy? I am not very clear about this..There exists a /etc/grsec/policy, but I did not create this file.
And yes, the LOG target is compiled into the kernel.
Thanks a lot for your help!
Greetings,
Kilian
- kiliber
- Posts: 2
- Joined: Tue Jun 13, 2006 9:15 am
5 posts
• Page 1 of 1