grsecurity forums

[marshall]

I've recently set up grsecurity, and have been watching my logfiles. In my /var/log/grsec.log file, I notice entries such as:

Aug 1 09:57:17 ghostwheel grsec: From 192.168.0.1: mount of /sys to /.chroot/foo/sys by /bin/mount[mount:21603] uid/euid:0/0 gid/egid:0/0, parent /sbin/runscript.sh[runscript.sh:21598] uid/euid:0/0 gid/egid:0/0

Only the strange thing is the IP address of the system is 192.168.0.2. Any idea why this IP address would be logged incorrectly like this? I sure appreciate any ideas.

Thanks!

[Alexei.Sheplyakov]

Aug 1 09:57:17 ghostwheel grsec: From 192.168.0.1: mount of /sys to /.chroot/foo/sys by /bin/mount[mount:21603] uid/euid:0/0 gid/egid:0/0, parent /sbin/runscript.sh[runscript.sh:21598] uid/euid:0/0 gid/egid:0/0

AFAIK, grsecurity logs _remote_ IPs. So, this line tells that
someone who logged in from 192.168.0.1 mounted /sys on /.chroot/foo/sys.
Thus, I don't think there's something wrong here (unless the address of
the remote host is not 192.168.0.1, or you are logged in locally, or
something like that).

[marshall]

Oh, I completely misunderstood, my bad! So, if I ssh in from another system to 192.168.0.2 from 192.168.0.1, then trigger something that is going to be logged, it shows the remote IP address I connected _from_ rather than the IP of the system I'm on. OK, that's handy! Cool, thanks for clearing that up!