[grsec] Learning stuck at rsync

John Logsdon j.logsdon at quantex-research.com
Tue Jun 7 18:17:07 EDT 2005 

gradm 2.1.5, grsec 2.6.11.11 (using the 2.6.11.9 patch).

Is there any reason why my ACL learning from an 87MB log file should
freeze when processing the object rsync?  Could there be anything about
rsync that makes it difficult to process - or could there be a DAC
permissions problem?

I have two attempts on different copies of the same file, one as generated
and the other as processed by grtool s-l which reduces it to 24MB.  In
both cases, the dialogue is:

# gradm -F -L learn7x.log -O learn7x.acl
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning subject reduction for user nx...done.
Beginning full learning subject reduction for user adm.jl...done.
Beginning full learning subject reduction for user sshd...done.
Beginning full learning subject reduction for user postfix...done.
Beginning full learning subject reduction for user _ntp...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/bash...done.
Beginning full learning object reduction for subject /bin/cat...done.
Beginning full learning object reduction for subject /bin/chmod...done.
Beginning full learning object reduction for subject /bin/ls...done.
Beginning full learning object reduction for subject /bin/mail...done.
Beginning full learning object reduction for subject /bin/mv...done.
Beginning full learning object reduction for subject /bin/ping...done.
Beginning full learning object reduction for subject /bin/ps...done.
Beginning full learning object reduction for subject /bin/rm...done.
Beginning full learning object reduction for subject
/bin/traceroute...done.
Beginning full learning object reduction for subject
/etc/cron.daily...done.
Beginning full learning object reduction for subject
/sbin/syslog-ng...done.
Beginning full learning object reduction for subject
/usr/bin/logger...done.
Beginning full learning object reduction for subject
/usr/bin/rsnapshot...done.
Beginning full learning object reduction for subject /usr/bin/rsync...

Sorry about the wrap round.  The first attempt on the vanilla log file has
now clocked up 969:15.86 minutes and the second one 413:23.25 gradm

Puzzled.  I guess some application of the learn_config is called for :-))

But is it possible to filter a particular subject out after the learning
stage but before the ACL generation stage?

TIA

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com

More information about the grsecurity mailing list