No logging seen

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

No logging seen

Postby gazolinia » Fri Feb 26, 2010 1:41 am

Hi,

I have installed grsecurity stable version to kernel 2.6.32.8 to my centos5.3 .The installation seems successful.

Steps I followed .

1) Untar linux,
2) patch with grsecurity
3) make menuconfig ( Here I went for custom, and selected the below options ) Besides I also Enabled CONFIG_SYSFS_DEPRECATED_V2 in the kernel source configuration, because previously I got boot up error
4) make
5) sudo make modules_install
6) sudo make install
5) Rebooted with new kernel(grsecurity patched)

But even after successful bootup sysctl.conf doesnot have any grsecurity related parameters as well as I am seeing no logs associated with grsecurity anywhere /var/log/grsec.log . Please help me to identify whether grsecurity functions well in my new kernel and if so where I can see the logs .

The grsecurity related configurations are :

# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30


#
# Filesystem Protections
#
# CONFIG_GRKERNSEC_PROC is not set
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_FIFO is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
# CONFIG_GRKERNSEC_CHROOT_CHMOD is not set
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
# CONFIG_GRKERNSEC_CHROOT_MKNOD is not set
# CONFIG_GRKERNSEC_CHROOT_SHMAT is not set
# CONFIG_GRKERNSEC_CHROOT_UNIX is not set
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set


# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4



Thanks in Advance ,
Jai
gazolinia
 
Posts: 8
Joined: Wed Feb 10, 2010 1:32 am

Re: No logging seen

Postby cormander » Fri Feb 26, 2010 2:18 am

sysctl.conf wouldn't have the entries unless you added them yourself. Do this:

ls /proc/sys/kernel/grsecurity/

That should show you your options. They should mostly all be enabled by default due to your use of CONFIG_GRKERNSEC_SYSCTL_ON=y

I'm not aware of anything logging to a /var/log/grsec.log file; logs should go to the kernel ring buffer (run the "dmesg" command to see it) and also appear in /var/log/messages

Hope this helps.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: No logging seen

Postby specs » Fri Feb 26, 2010 5:21 am

If you try "sysctl -a | grep grsecurity" you will get a list that is easy to edit and add to the standard init-scipts (like /etc/sysctl.conf).

For example:
Code: Select all
# sysctl -a | grep grsecurity >> /etc/sysctl.conf

Make sure you end the configuration with:
Code: Select all
kernel.grsecurity.grsec_lock = 0
If you change that to 1 you might have to reboot for changing settings. (For production servers it should read 1 after configuration.)

And finally, there is no /var/log/grsec.log. Grsecurity logs to the standard logfiles like /var/log/syslog. You can also use dmesg to find problems.
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am

Re: No logging seen

Postby gazolinia » Fri Feb 26, 2010 5:37 am

Thanks for your kind replies. Everything looks fine and great.
Most of our requirements got satisfied except one, restricting maximum no of process to run at a time in a root (jail) http://forums.grsecurity.net/viewtopic.php?f=3&t=2249.
There they suggested us to use RBAC system (special UID) . To make this happen in our existing system it seems very difficult. So is there any other way to work little on our grsecurity patch to make this happen. Something like before calling chroot check how many process running at a time within that new root, if it is more than max_limit then die . Please guide me if anything can be possible here ....


Thanks,
Jai
gazolinia
 
Posts: 8
Joined: Wed Feb 10, 2010 1:32 am


Return to grsecurity support