Truncated exec messages

Discuss and suggest new grsecurity features

Truncated exec messages

Postby bplant » Tue Jun 19, 2007 6:30 pm

Hi,

I'm running grsecurity on 2.6.18.8 under Xen 3.1 (sorry, that means I can't upgrade to latest). The system is a 64-bit Gentoo installation.

I have noticed that occasionally (maybe once per day or less), I get truncated exec log messages. For example:

gios/bin/nagios) exec of /bin/bash (sh -c /usr/nagios/libexec/check_ping -H 10.10.20.2 -w 250.0,20% -c 500.0,60% -p 5 ) by /usr/nagios/bin/nagios[nagios:29366] uid/euid:414/414 gid/egid:414/414, parent /usr/nagios/bin/nagios[nagios:919] uid/euid:414/414 gid/egid:414/414

gios[nagios:6238] uid/euid:414/414 gid/egid:414/414

>grsec: (nagios:U:/usr/nagios/bin/nagios) exec of /usr/nagios/libexec/check_ping (/usr/nagios/libexec/check_ping -H 10.10.50.2 -w 250.0,20% -c 500.0,60% -p 5 ) by /bin/bash[sh:5151] uid/euid:414/414 gid/egid:414/414, parent /usr/nagios/bin/nagios[nagios:23988] uid/euid:414/414 gid/egid:414/414

The issue seems to only appear on the monitoring servers (the ones that run nagios), but I have seen it on one of the mail servers maybe once. The truncated log messages are very rare given the ~1 million exec messages logged per day. I would never have noticed it had I not been running log monitoring software.

I never witnessed the log truncation when running the 2.6.16.x kernels with grsec and older versions of Xen and syslog-ng hasn't been upgraded at all. While Xen has been upgraded, I wouldn't have thought it should affect logging.

Any help/clues/fixes/suggestions most welcome.

Cheers,

Brad
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm

Re: Truncated exec messages

Postby bplant » Fri Jan 11, 2008 7:45 pm

Just a note, this still occurs with a grsecurity-2.1.10-200704241759 that I rolled for a 2.6.20 kernel recently to work with xen. Patch can be found at http://ayuda.com.au/pub/. I would love to upgrade to the latest version of grsec, but the xen implementation currently in mainline is very cut down and doesn't have a lot of features that we use.

Cheers,

Brad
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm

Re: Truncated exec messages

Postby PaX Team » Sun Jan 13, 2008 10:18 am

bplant wrote:I would love to upgrade to the latest version of grsec, but the xen implementation currently in mainline is very cut down and doesn't have a lot of features that we use.
my understanding is that 2.6.23 has domU support, but not dom0. are you trying to use grsec in the latter as well? in any case, it'd help me a lot if you/others began testing 2.6.23/domU as i tried to change PaX to accomodate it as well but can't test it myself (well, not without the effort of setting up a whole Xen environment, something i don't have the time for right now).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Truncated exec messages

Postby bplant » Sun Jan 13, 2008 4:13 pm

Yep, I am using grsec on both dom0 and domU. Unfortunately the xen implementation in 2.6.23 isn't complete. When I say that I mean it doesn't have suspend/resume, memory ballooning or live migration, not to mention that it is 32 bit only and I am using 64.
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm


Return to grsecurity development

cron