##### # # Copyright (C) 2005-2012 CS-SI. All Rights Reserved. # Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com> # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### # *exhaustive* err..*extensive* grsecurity support for Prelude-LML ###################### GRSEC 2 #################### # /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0" regex=uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent; id=693; \ source(0).user.category=application; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).number=$1; \ source(0).user.user_id(1).type=user-privs; \ source(0).user.user_id(1).number=$2; \ source(0).user.user_id(2).type=current-group; \ source(0).user.user_id(2).number=$3; \ source(0).user.user_id(3).type=group-privs; \ source(0).user.user_id(3).number=$4; \ chained; silent; # # generic grsec2 goto rules regex=(to|on|against) ([^[ ]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent ([^[]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+); \ id=691; \ revision = 1; \ target(0).process.path=$2; \ target(0).process.name=$3; \ target(0).process.pid=$4; \ target(0).user.category=application; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).number=$5; \ target(0).user.user_id(1).type=user-privs; \ target(0).user.user_id(1).number=$6; \ target(0).user.user_id(2).type=current-group; \ target(0).user.user_id(2).number=$7; \ target(0).user.user_id(3).type=group-privs; \ target(0).user.user_id(3).number=$8; \ # target(1).process.path = $9; \ # target(1).process.name = $10; \ # target(1).process.pid = $11; \ # target(1).user.user_id(0).type = current-user; \ # target(1).user.user_id(0).number = $12; \ # target(1).user.user_id(1).type = user-privs; \ # target(1).user.user_id(1).number = $13; \ # target(1).user.user_id(2).type = current-group; \ # target(1).user.user_id(2).number = $14; \ # target(1).user.user_id(3).type = group-privs; \ # target(1).user.user_id(3).number = $15; \ chained; silent; regex=(by|for) (IP:([^ ]+) )?([^[ ]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?, parent ([^[]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?; optgoto=693; \ id=692; \ revision = 1; \ source(0).node.address(0).address = $3; \ source(0).process.path=$4; \ source(0).process.name=$5; \ source(0).process.pid=$6; \ chained; silent; # # generic grsec2 goto rules regex=From (\S+):; \ id=693; \ revision = 1; \ source(0).node.address(0).address = $1; \ chained; silent; regex=denied; id=694; assessment.impact.completion = failed; chained; silent; regex=successful; id=695; assessment.impact.completion = succeeded; chained; silent; ############## #define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " # #LOG: FIXME # regex=denied ptrace of ([^(]+)([^:]+:(\d+)) by ; goto=692; optgoto=693-695; \ classification.text=Denied ptrace; \ id=603; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).process.path = $1; \ target(0).process.name = $2; \ target(0).process.pid = $3; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to ptrace $1. Access was denied. \ last ## #define GR_IOPERM_MSG "denied use of ioperm() by " #define GR_IOPL_MSG "denied use of iopl() by " # #LOG: FIXME regex=denied use of (ioperm|iopl)\(\) by ; goto=692; optgoto=693-695; \ classification.text=Denied user of $1; \ id=603; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ last ## #define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by " #LOG: FIXME ## #define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by " #LOG: FIXME ## #define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by " # #LOG: Jan 11 01:40:09 gw kernel: grsec: From X: denied attach of shared memory outside of chroot by /chroot/usr/local/apache/bin/httpd[httpd:21579] uid/euid:1000/1000 gid/egid:103/103, parent /chroot/apache/usr/local/apache/bin/httpd[httpd:20755] uid/euid:0/0 gid/egid:0/0 regex=denied attach of shared memory outside of chroot by; goto=692; \ classification.text=Denied attach of shared memory segment; \ id=604; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.severity=low; \ assessment.impact.description=Denied attach of shared memory segment outside of chroot; \ last ## #define GR_KMEM_MSG "denied write of /dev/kmem by " #define GR_PORT_OPEN_MSG "denied open of /dev/port by " #define GR_MEM_WRITE_MSG "denied write of /dev/mem by " #define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by " # #LOG: FIXME # regex=denied ((mmap )?write|open) of (/dev/[^ ]+) by; optgoto=693-694; \ classification.text=Denied $1 of $2; \ id=602; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was denied to $1 $2.; \ last #define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by " #define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u" #define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u" #define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by " # #LOG: Jan 14 10:48:00 gw kernel: grsec: (default:D:/) denied access to hidden file /tmp by /bin/bash[bash:8531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18897] uid/euid:1000/1000 gid/egid:1000/1000 # regex=denied access to hidden file ([^ ]+) by ; \ goto=692; optgoto=693-695; \ classification.text=Denied access to hidden file; \ id=608; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $1; \ target(0).file(0).category = current; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to access the hidden file $1. This access was denied by the ACL system. This could have resulted from an incomplete ACL, or an attack may be in progress on your system.; \ last ####### #define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by " #define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by " #define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by " # #LOG: FIXME # regex=(denied|successful) (open|create|writing) (of|FIFO) for ; \ classification.text=Potential FIFO race; \ id=609; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to write to a FIFO in a world-writable +t directory that was created by a non-root user. This attempt was denied. It is possible that this was the result of an intentional FIFO race on your system.; \ last #define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by " # #LOG: Jan 13 15:28:40 gw kernel: grsec: denied mknod of /tmp/test00030374_mknod from chroot by /root/regression/chroot_mknod_test[chroot_mknod_te:30374] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0 regex=denied mknod of ([^ ]+) from chroot by ; \ goto=692; optgoto=693-695; \ classification.text=Denied mknod from chroot; \ id=610; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ target(0).file(0).path = $1; \ target(0).file(0).category = current; \ assessment.impact.description=An attempt was made to mknod the device $1 from a chroot jail.; \ last #define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by " # #LOG: Jan 11 01:40:09 gw kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /bin/login[login:31903] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 # regex=(denied|successful) connect\(\) to the unix domain socket ([^ ]+) by ; \ goto=692; optgoto=693-694; \ classification.text=Attempted UNIX connect; \ id=674; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).name = $2; \ target(0).file(0).category = current; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to connect to the unix domain socket $2 was $1.; \ last; ####### # Special case, we can't use 692 here. # #define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against " # #LOG: Jan 11 01:35:04 gw kernel: grsec: terminal being sniffed by IP:0.0.0.0 /usr/bin/vmnet-natd[vmnet-natd:574], parent /sbin/init[init:1] against /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 # regex=terminal being sniffed by; \ goto=691; goto=692;\ classification.text=Terminal sniffed; \ id=675; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ last; #define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for " #define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by " #define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by " #define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by " #define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by " # # LOG: FIXME # regex=(denied|successful) (rename|link|symlink) (of|from) ([^ ]+) to ([^ ]+) by ; \ goto=692; optgoto=693-694; \ classification.text=Attempted $2; \ id=618; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $4; \ target(0).file(0).category = current; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to $2 $4 to $5. Access was $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \ last #define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " #define GR_NPROC_MSG "denied overstep of process limit by " #define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds" # regex=possible exploit bruteforcing on; goto=691; regex=banning uid (\d+) from login for (\d+) seconds; \ optgoto=692-694; \ classification.text=Possible exploit bruteforcing; \ id=622; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=original-user; \ source(0).user.user_id(0).number=$1; \ assessment.impact.description=A possible exploit bruteforce attempt was made. The user with uid $1 has been banned from logging in for $2 seconds for causing this alert.; \ last #define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds" # regex=possible exploit bruteforcing on; goto=691; regex=banning execution for (\d+) seconds; \ optgoto=692-694; \ classification.text=Possible exploit bruteforcing; \ id=623; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=A possible exploit bruteforce attempt was made. The process being bruteforced is banned from execution for $1 seconds.; \ last #define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by " #define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by " #define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by " #define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by " # #LOG: Jan 13 15:20:27 gw kernel: grsec: denied chmod +s /tmp/test0008410_chmod by /root/regression/chroot_chmod_test[chroot_chmod_te:8410] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:15418] uid/euid:0/0 gid/egid:0/0 regex=denied chmod \+s ([^ ]+) by ; \ goto=692; optgoto=692-695; \ classification.text=Denied chmod +s from chroot; \ id=638; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to chmod +s the file $1. Access was denied.; \ last #define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by " # #LOG: Jan 13 15:28:40 gw kernel: grsec: denied fchdir outside of chroot to /etc by /root/regression/chroot_fchdir_test[chroot_fchdir_t:9025] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0 regex=denied fchdir outside of chroot to ([^ ]+) by; \ goto=692; optgoto=693-695; \ classification.text=Denied fchdir out of chroot; \ id=631; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $1; \ target(0).file(0).category = current; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to fchdir out of a chroot jail to the directory $1. Access was denied.; \ last #define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by " #define GR_INITF_ACL_MSG "init_variables() failed %s by " #define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader" #define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by " ####### ## #define GR_SHUTS_ACL_MSG "shutdown auth success for " #define GR_SHUTF_ACL_MSG "shutdown auth failure for " # #LOG: Jan 11 01:36:27 gw kernel: grsec: shutdown auth success for /sbin/gradm[gradm:27128] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:14872] uid/euid:0/0 gid/egid:0/0 # #LOG: Jan 11 01:51:59 gw kernel: grsec: (default:D:/sbin/gradm) shutdown auth failure for /sbin/gradm[gradm:8974] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:27363] uid/euid:0/0 gid/egid:0/0 # regex=shutdown auth (success|failure) for; goto=692; optgoto=693-694; \ classification.text=Grsecurity ACL shutdown; \ id=676; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ source(0).node.address(0).address = $1; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ last; ####### #define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for " ###### #define GR_SEGVMODS_ACL_MSG "segvmod auth success for " #define GR_SEGVMODF_ACL_MSG "segvmod auth failure for " # #LOG: FIXME regex=segvmod auth (success|failure); \ classification.text=ACL system segvmod $1; \ id=644; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=$1 in removing a ban on a user or binary due to possible exploit bruteforcing.; \ last ####### #define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for " # #LOG: FIXME regex=ignoring segvmod for disabled RBAC system for ; \ classification.text=ACL system segvmod ignored; \ id=646; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was ignored to remove a ban on a user or binary due to possible exploit bruteforcing.; \ last ####### #define GR_ENABLE_ACL_MSG "%s RBAC system loaded by " #LOG: Jan 11 01:35:04 gw kernel: grsec: (default:D:/sbin/gradm) grsecurity 2.1.1 RBAC system loaded by /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 regex=RBAC system loaded by; goto=692; \ classification.text=RBAC system loaded; \ id=647; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=The RBAC system was successfully loaded.; \ last #### #define GR_ENABLEF_ACL_MSG "unable to load %s for " #define GR_RELOADF_ACL_MSG "failed reload of %s for " # #LOG:FIXME # regex=(unable to|failed) (load|reload); goto=692; \ classification.text=$2 failed; \ id=649; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=Failed attempt to $2 the ACL system.;\ last #define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system" #define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by " #define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for " #define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by " #define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by " #define GR_SPROLEF_ACL_MSG "special role %s failure for " #define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for " #define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by " #define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for " #define GR_INVMODE_ACL_MSG "invalid mode %d by " #define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by " # #LOG: Jan 13 15:28:40 gw kernel: grsec: denied priority change of process (chroot_nice_tes:15707) by /root/regression/chroot_nice_test[chroot_nice_tes:15707] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0 regex=denied priority change of process \(([^:]+):(\d+)\) by ; \ goto=692; optgoto=693-695; \ classification.text=Denied process priority change; \ id=658; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ target(0).process.name=$1; \ target(0).process.pid=$2; \ assessment.impact.description=An attempt was made to change the priority of a process. Access was denied.; \ last #### #define GR_FAILFORK_MSG "failed fork with errno %d by " # #LOG: Mar 15 16:14:35 sysadmin kernel: grsec: From 192.168.1.25: failed fork with errno -11 by /root/test/fork-bomb[fork-bomb:4362] uid/euid:0/0 gid/egid:0/0, parent /root/test/fork-bomb[fork-bomb:4009] uid/euid:0/0 gid/egid:0/0 regex=failed fork with errno (-?\d+) by ([^[]+); \ optgoto=691; optgoto=692-695; \ classification.text=Fork failure; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=Program $2 tried to fork and failed with errno $1.; \ last #define GR_NICE_CHROOT_MSG "denied priority change by " ## #define GR_UNISIGLOG_MSG "signal %d sent to " #define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by " # #LOG: Jan 9 22:36:13 gw kernel: grsec: signal 11 sent to /usr/lib/vmware/bin/vmware-vmx[vmware-vmx:11733] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/vmware/bin/vmware[vmware:25692] uid/euid:1000/1000 gid/egid:1000/1000 # #LOG:May 2 18:13:42 lt kernel: grsec: From 82.226.58.44: signal 11 sent to /usr/lib/paxtest/writetext[writetext:2806] uid/euid:1/2 gid/egid:3/4, parent /usr/lib/paxtest/writetext[writetext:23332] uid/euid:5/6 gid/egid:7/8 regex=signal (\d+) sent to; id=662; \ goto=691; optgoto=692-695; \ classification.text=Signal $1 sent; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=Signal $1 was sent to a process.; \ last ## #define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by " # #LOG: FIXME regex=denied send of signal (\d+) to protected task; goto=691; goto=692; \ classification.text=Denied signal to protected process; \ id=664; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to send signal $1 to a protected process. Access was denied.; \ last ## #define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by " #define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by " # ####### #define GR_TIME_MSG "time set by " # #LOG: Jan 10 06:32:09 gw kernel: grsec: time set by /usr/sbin/ntpdate[ntpdate:18730] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:24082] uid/euid:0/0 gid/egid:0/0 # #LOG:Jun 19 15:53:23 lomo kernel: grsec: time set by /sbin/hwclock[hwclock:27144] uid/euid:1/2 gid/egid:3/4, parent /sbin/rc[rc:1229] uid/euid:5/6 gid/egid:7/8 # #LOG:May 2 12:55:27 lsd kernel: grsec: From x.x.y.z: time set by /usr/bin/ntpd[ntpd:30864] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 regex=time set by; id = 669; \ goto=692; optgoto=692-694; \ classification.text=System time changed; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=The system time was modified.; \ last # #define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by " ####### #define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by " #define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by " # #LOG:Jun 19 15:53:23 lomo kernel: grsec: From x.x.x.x: denied executable mmap of /var/www/blah.gif by /usr/sbin/apache-ssl[apache-ssl:257] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0 # regex=(denied|successful) executable (mmap|mprotect) of ([^ ]+) by ; goto=691; optgoto=692-694; \ classification.text=Attempted $2 executable; \ id=670; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ target(0).file(0).name = $3; \ assessment.impact.description=An attempt was made to $2 the file $3 executable. Access was $1.; \ last ####### #define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by " #define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by " # #LOG:Jul 10 01:15:47 worker kernel: grsec: (root:U:/usr/lib/cgi-bin/awstats.pl) denied socket(inet,stream,ip) by /usr/lib/cgi-bin/awstats.pl[awstats.pl:22937] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:29005] uid/euid:0/0 gid/egid:0/0 # regex=(successful|denied) socket\((\w+),(\w+),(\w+)\) by ; goto=692; optgoto=693-694; \ classification.text=Attempted socket use; \ id=671; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to socket($2, $3, $4) was made. Access was $1.; \ last ####### #define GR_BIND_MSG "denied bind() by " #define GR_CONNECT_MSG "denied connect() by " # #LOG: FIXME # regex=denied (connect\(\)|bind\(\)) by; goto=692; optgoto=693-694; \ classification.text=Denied $1; \ id=672; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to $1 was denied.; \ last ####### #define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " #define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " # #LOG:Jul 10 01:15:47 worker kernel: grsec: From 1.2.3.4: (root:U:/usr/sbin/proftpd) denied bind() to 1.1.1.1 port 46304 sock type stream protocol tcp by /usr/sbin/proftpd[proftpd:27198] uid/euid:0/104 gid/egid:65534/65534, parent /usr/sbin/inetd[inetd:538] uid/euid:0/0 gid/egid:0/0 regex=denied (connect|bind)\(\) to (\d+\.\d+\.\d+\.\d+) port (\d+) sock type (\w+) protocol (\w+); \ goto=692; optgoto=693-694; \ classification.text=Denied $1; \ id=673; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).node.address(0).address = $2; \ target(0).service.port = $3; \ target(0).service.iana_protocol_name = $4; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to $1 to $2:$3 was denied.; \ last #define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u" #define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " #define GR_CAP_ACL_MSG "use of %s denied for " #define GR_USRCHANGE_ACL_MSG "change to uid %d denied for " #define GR_GRPCHANGE_ACL_MSG "change to gid %d denied for " ####### #define GR_REMOUNT_AUDIT_MSG "remount of %.30s by " #define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by " #define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by " # regex=(mount|unmount|remount) of ([^ ]+) by; goto=691; optgoto=692-694; \ classification.text=Filesystem $1ed; \ id=677; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $2; \ target(0).file(0).category = current; \ assessment.impact.type=file; \ assessment.impact.severity=medium; \ assessment.impact.description=$2 was $1ed.; \ last; ####### #define GR_CHDIR_AUDIT_MSG "chdir to %.980s by " # #LOG: Jan 13 12:08:42 gw kernel: grsec: From 192.168.1.25: chdir to /home/client/test by /bin/bash[bash:2532] uid/euid:1000/1000 gid/egid:2000/2000, parent /usr/sbin/sshd[sshd:2531] uid/euid:1000/1000 gid/egid:2000/2000 # regex=chdir to ([^ ]+) by ; goto=692; optgoto=693-694; \ classification.text=Attempted chdir; \ id=630; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.description=An attempt was made to chdir to the directory $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \ last #define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by " #LOG:Jan 13 12:08:42 gw kernel: grsec: exec of /sbin/start-stop-daemon (start-stop-daemon --stop --quiet --exec /sbin/klogd --pidfile /var/run/klogd.pid ) by /etc/init.d/klogd[K89klogd:7612] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/klogd[K89klogd:11922] uid/euid:0/0 gid/egid:0/0 regex=exec of ([^ ]+) \(([^ ]+) ([^)]+)\) by ; \ goto=692; optgoto=693-694; \ classification.text=Binary executed; \ id=682; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ target(0).process.name = $2; \ target(0).process.path = $1; \ target(0).process.arg(0) = $3; \ assessment.impact.description=The command: $1 was executed.; \ last ####### #define GR_MSGQ_AUDIT_MSG "message queue created by " #define GR_SEM_AUDIT_MSG "semaphore created by " # #LOG: Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: semaphore created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000 # regex=(semaphore|message queue) created by ; \ classification.text=$1 created; \ id=685; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ assessment.impact.description=A $1 was created.; \ last ####### #define GR_SHM_AUDIT_MSG "shared memory of size %d created by " # #LOG: Mar 22 11:25:29 sysadmin kernel: grsec: From 192.168.1.25: shared memory of size 1024 created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000 # regex=shared memory of size (\d+) created by ; \ classification.text=Shared memory created; \ id=688; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ assessment.impact.description=Shared memory of size $1 was created.; \ last ####### #define GR_MSGQR_AUDIT_MSG "message queue of uid:%d euid:%d removed by " #define GR_SEMR_AUDIT_MSG "semaphore of uid:%d euid:%d removed by " #define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by " # #LOG: Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: shared memory of uid:1000 euid:1000 removed by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000 # regex=(message queue|semaphore|shared memory) of uid:(\d+) euid:(\d+) removed by ; \ goto=692; optgoto=693-694; \ classification.text=$1 removed; \ id=684; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).number=$2; \ target(0).user.user_id(1).type=user-privs; \ target(0).user.user_id(1).number=$3; \ assessment.impact.completion=succeeded; \ assessment.impact.severity=low; \ assessment.impact.description=A $1 was removed.; \ last ####### #define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for " # #LOG: Jan 12 19:48:15 gw kernel: grsec: denied resource overstep by requesting 495360 for RLIMIT_DATA against limit 0 by /usr/bin/valgrind.bin[valgrind.bin:29839] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31044] uid/euid:0/0 gid/egid:0/0 regex=denied resource overstep by requesting (\d+) for (\w+) against limit (\d+) by ; \ classification.text=Denied resource overstep; \ goto=692; optgoto=693-694; \ id=620; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was denied to overstep the process limit.; \ last #define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by " #*** Groupped stuff **** ## #define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " #define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by " # #LOG: Jan 11 01:51:51 gw kernel: grsec: (default:D:/) denied open of /var/log/lastlog for reading writing by /bin/login[login:27363] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 # #LOG: Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful open of /root/.nano_history for writing by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 regex=(denied|successful) (open|access) of ([^ ]+) for (.*) by ; \ goto=692; optgoto=693-695; \ classification.text=Attempted $2; \ id=603; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $3; \ target(0).file(0).category = current; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=$1 $2 of $3 for $4. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \ last ####### #define GR_MKNOD_ACL_MSG "%s mknod of %.950s by " #define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by " #define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by " #define GR_UNLINK_ACL_MSG "%s unlink of %.950s by " #define GR_EXEC_ACL_MSG "%s execution of %.950s by " #define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by " #define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by " #define GR_ATIME_ACL_MSG "%s access time change of %.950s by " #define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by " #define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " #define GR_CHOWN_ACL_MSG "%s chown of %.950s by " #define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by " #define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by " # #LOG: Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful execution of /bin/blah by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 # #LOG: Jan 13 15:28:40 gw kernel: grsec: denied chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0 # #LOG: Jan 13 15:28:40 gw kernel: grsec: successful chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0 regex=(denied|successful) (mknod|mkdir|rmdir|unlink|untrusted exec|execution|truncate|access time change|fchmod|chmod|chown|executable mmap|executable mprotect) of ([^ ]+) by ; \ goto=692; optgoto=693-695; \ classification.text=Attempted $2; \ id=610; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ target(0).file(0).path = $3; \ target(0).file(0).category = current; \ assessment.impact.description=An attempt was made to $2 the file $3. Access was $1.; \ last