grsecurity forums

by **miha** » Sun Dec 01, 2002 6:00 pm

before running grsec in normal mode I set learning mode on everything.
Here is how my /etc/grsec/acl looks like:

Code: Select all: / lo { /lib r /proc/sys r /dev/mem h /dev/kmem h /etc/grsec x /root rx /boot rx /etc rw /bin rx /home rxw /usr rx /sbin rx /tmp rw / rw +CAP_ALL } /usr/bin/passwd lo { /usr/bin/passwd x / h /home x -CAP_ALL } /usr/local/apache/bin/httpd lo { /usr/local/apache/bin/httpd x / h /home x /tmp rw -CAP_ALL connect { disabled } bind { disabled } } /usr/sbin/sendmail lo { / h /tmp rw -CAP_ALL RES_NPROC 15 20 connect { disabled } bind { disabled } } /usr/sbin/exim lo { / h /tmp rw -CAP_ALL RES_NPROC 15 20 connect { disabled } bind { disabled } } /usr/bin/perl lo { / h /home x /tmp rw -CAP_ALL RES_NPROC 20 25 connect { disabled } bind { disabled } }

and after I run "gradm -L -O learn"

after 24 hours of running in learning mode the file "learn" didn't change at all. It is still the same from the first second of running in learn mode.
This server serves a lot of bandwidth and mirrors, there was 15GB bandwidth for these 24 hours, but no changes for /usr/local/apache/bin/httpd which was ran a lot..

Any suggestions what I'm doing wrong?

by **spender** » Sun Dec 01, 2002 7:53 pm

To enable learning mode you have to enable the ACL system. I don't see how you could have enabled the ACL system with your default ACL that grants +CAP_ALL. You have to enable the ACL system, run it for a while, and then use gradm -L -O /etc/grsec/acl. The -L option just parses the logs, it doesn't enable the system and create them.

-Brad

by **miha** » Sun Dec 01, 2002 8:24 pm

great thanks, now I see how it is going

by **spiekey** » Tue Jul 15, 2003 8:30 am

spender wrote:To enable learning mode you have to enable the ACL system. I don't see how you could have enabled the ACL system with your default ACL that grants +CAP_ALL.

How do you enable the ACL System then?

Cheers, Spiekey