[grsec] Message logs

John Logsdon j.logsdon at quantex-research.com
Mon Aug 15 10:42:35 EDT 2005 

Guillaume and list

Here are my syslog-ng options:

options {
    sync (0);
    time_reopen (10);
    log_fifo_size (1000);
    long_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
    stats(86400);      
};

which should flush every line as it is written.  Still no idea why the
logs should delay although, as Igmar points out, it is likely to be a
syslog-ng issue rather than grsec.

The syslog-ng ACLs (derived by a learning exercise) are:

subject /sbin/syslog-ng o {
	/				h
	/etc/localtime			
	-CAP_ALL
	+CAP_SYS_ADMIN
	bind	disabled
	connect	disabled
}

which I thought should allow writing but in the logs, there is the line:

Aug 15 12:39:05 unix kernel: grsec: (default:D:/) use of CAP_SYS_ADMIN
denied for /sbin/syslog-ng[syslog-ng:26769] uid/euid:0/0 gid/egid:0/0,
parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

which may explain it that it has dropped through to default which
disallows the write.

Further clues?

TIA

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com


On Mon, 15 Aug 2005, Guillaume Castagnino wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> John Logsdon wrote:
> > I have syslog-ng filtering out my grsec logs to /var/log/grsec/grsec.log -
> > with log rotation etc.  Console logs can be views over VNC via the
> > engineering port but I want to see them in real files as well.
> > 
> > But I notice that the logs are not written immediately - certainly the
> > VNC output is reasonably quick so if I was crouching on the floor by the
> > server, I would get them immediately.
> > 
> > In particular, I seem to need to restart syslog-ng to flush the
> > information out then it gets written with the wrong time stamp.
> 
> Have you put "sync(0);" in your "options" section of syslog-ng.conf ?
> With sync(0) syslog flush logs every line. Default is higher.
> 
> See : http://www.campin.net/syslog-ng/faq.html
> >  What conf settings can I use for my syslog-ng.conf file so that
> > messages are written to disk the instant they are received?
> >
> > Add sync(0) to your config file.
> >
> > options { sync(0); };
> 
> - --
> Guillaume Castagnino
>     guilc at laposte.net / casta at xwing.info
> GnuPG/PGP key :
> http://wwwkeys.pgp.net:11371/pks/lookup?op=vindex&fingerprint=on&search=0x8AF468AF
> 
> Fingerprint : CD52 FE40 9592 BA1E E89D 5FB6 820E 4742 8AF4 68AF
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> 
> iD8DBQFDAJecgg5HQor0aK8RAgikAJ0Q75AETBBx8zgDUugCyyxIPMZhDACeJKl7
> 2mujV2OuEgZiExAQ8h1y/IE=
> =L/Ct
> -----END PGP SIGNATURE-----
>

More information about the grsecurity mailing list