[grsec] logging flood

Sun Aug 7 03:43:27 EDT 2005

On Sun, 2005-08-07 at 10:30 +0300, Adi Spivak wrote:
> hello
> i use grsec patch on 2 diffrent slackware linux server.
> on one of them, after several days from reboot it begins to flood the 
> messages log file with just everything that is happening on the server ( 
> both servers are configured the same, and it starts to do it only after 
> several days from reboot, this time it was 50 days. )
> here is an example taken from a logwatch summery:
> 
>  1 Time(s): grsec: exec of /bin/bash (/bin/sh -c /usr/local/clamav/bin/freshclam --quiet -l /var/log/clam-update.log > /dev/null 2>&1 ) by /usr/sbin/crond[crond:4638] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:95] uid/euid:0/0 gid/egid:0/0
>  1 Time(s): grsec: exec of /bin/bash (/bin/sh -c /usr/local/clamav/bin/freshclam --quiet -l /var/log/clam-update.log > /dev/null 2>&1 ) by /usr/sbin/crond[crond:4664] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:95] uid/euid:0/0 gid/egid:0/0
>  1 Time(s): grsec: exec of /bin/bash (/bin/sh -c /usr/local/clamav/bin/freshclam --quiet -l /var/log/clam-update.log > /dev/null 2>&1 ) by /usr/sbin/crond[crond:4701] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:95] uid/euid:0/0 gid/egid:0/0
>  1 Time(s): grsec: exec of /bin/bash (/bin/sh -c /usr/local/clamav/bin/freshclam --quiet -l /var/log/clam-update.log > /dev/null 2>&1 ) by /usr/sbin/crond[crond:4726] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:95] uid/euid:0/0 gid/egid:0/0
> 
> what is cousing it?
> how can i stop it without rebooting the server each time?

You can stop the exec logging by doing the following:

echo 0 >/proc/sys/kernel/grsecurity/exec_logging

Cheers,

Brad