Large learning log

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Large learning log

Postby dema » Tue Sep 21, 2004 10:00 am

Hello. We are considering rolling out grsec on our new servers (whenever we actually get them) and I am trying to test run grsec on a test server we have been using. We have a lot going on here with users ftping and using afpd all day. After running gradm2 in full learning mode overnight it generated a log of 22MB (not huge, but big). Now whenever I try to generate an ACL from the log gradm2 gives a good deal of output and then just seems to continue working to no end (I let it go for about 1 hour while doing others things).

I basically followed the quickstart guide commands wise, using:
gradm -F -L /etc/grsec/learning.log
and then,
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/ac
which outputs....
Beginning full learning subject reduction for user root...done.MMAND
Beginning full learning subject reduction for user andy...done.adm
Beginning full learning subject reduction for user www-data...done.0
Beginning full learning subject reduction for user mysql...done.
Beginning full learning subject reduction for user mail...done.it
Beginning full learning subject reduction for user Debian-exim...done./0
Beginning full learning subject reduction for user ljcatalog...done.0
Beginning full learning subject reduction for user nobody...done.per
Beginning full learning subject reduction for user man...done.acpid
Beginning full learning 3rd pass...done. 0.0 0.0 0:00.24 kblockd/0
Beginning full learning object reduction for subject /...done.dflush
Beginning full learning object reduction for subject /bin/bash...done.
Beginning full learning object reduction for subject /bin/chgrp...done.
Beginning full learning object reduction for subject /bin/chmod...done.
Beginning full learning object reduction for subject /bin/chown...done.
Beginning full learning object reduction for subject /bin/cp...done.s/0
Beginning full learning object reduction for subject /bin/gzip...done.
Beginning full learning object reduction for subject /bin/ln...done.
Beginning full learning object reduction for subject /bin/ls...done.
Beginning full learning object reduction for subject /bin/mv...done.
Beginning full learning object reduction for subject /bin/rm...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /bin/touch...done.e
Beginning full learning object reduction for subject /etc/cron.daily/exim4-base...done.
Beginning full learning object reduction for subject /sbin/start-stop-daemon...done.
Beginning full learning object reduction for subject /sbin/syslogd...done.
Beginning full learning object reduction for subject /tmp/logrotate.EIgEdT...done.
Beginning full learning object reduction for subject /usr/bin/logger...done.
Beginning full learning object reduction for subject /usr/bin/mysql...done.
Beginning full learning object reduction for subject /usr/bin/mysqladmin...done.
Beginning full learning object reduction for subject /usr/bin/updatedb...done.
Beginning full learning object reduction for subject /usr/sbin/afpd...done.
Beginning full learning object reduction for subject /usr/sbin/crack_packer...done.
Beginning full learning object reduction for subject /usr/sbin/cron...done.
Beginning full learning object reduction for subject /usr/sbin/exim4...done.
Beginning full learning object reduction for subject /usr/sbin/logrotate...done.
Beginning full learning object reduction for subject /usr/sbin/ntpdate...done.
Beginning full learning object reduction for subject /usr/sbin/sshd...done.
Beginning full learning object reduction for subject /usr/sbin/vsftpd...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /usr/sbin/apache...done.
Beginning full learning object reduction for subject /usr/sbin/mysqld...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /usr/sbin/exim4...done.
Beginning full learning object reduction for subject /usr/sbin/exim_tidydb...done.
Beginning full learning object reduction for subject /usr/sbin/vsftpd...done.
Beginning full learning object reduction for subject /...

It does all that in the first minute and then sits with 99% CPU for (at least) an hour.

It seems like a rather trivial issue but I was unable to find a good answer on the website on googling. Can anyone point out what I'm doing wrong here?

Kernel: Linux 2.6.7-grsec (Debian unstable)

EDIT: I also tested it by letting full learning run for a few minutes and build a 20k log file. gradm2 was able to make an ACL out of that just fine.
dema
 
Posts: 2
Joined: Tue Sep 21, 2004 9:47 am

Postby spender » Tue Sep 21, 2004 12:27 pm

Could you compress that learning log and mail it to spender@grsecurity.net?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby dema » Tue Sep 21, 2004 12:31 pm

spender wrote:Could you compress that learning log and mail it to spender@grsecurity.net?

-Brad


Already deleted it, oops :oops:

I will let full learning run again tonight and shoot ya a compressed version tomorrow morn. Thanks.
dema
 
Posts: 2
Joined: Tue Sep 21, 2004 9:47 am


Return to grsecurity support

cron