[gentoo-hardened] gradm load cpu ~100% but can't build all ACL rules - gentoo-hardened

From:	Alexander Tiurin <alexanderyt@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] gradm load cpu ~100% but can't build all ACL rules
Date:	Wed, 20 Nov 2013 20:50:47
Message-Id:	`CAK2Q6vCJW+Z7_=Ck-6BddH8RcMto3PubxqLEYEyxCKUfKE8JTg@mail.gmail.com`

1

Hello!

2

3

After ~20 hours after running

4

5

# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/

6

7

gradm not stopped.

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM     TIME+ COMMAND

12

23513 root      20   0  288m 273m 1308 R 99,6 15,9   1008:37 gradm

13

14

This strace immediately after running gradm

15

16

# strace -p 23513

17

Process 23513 attached

18

read(3, "usr/bin/python3.2\t/etc/cron.week"..., 16777216) = 16777216

19

read(3, "\t1\t1\t/etc/ssh/ssh_host_dsa_key\t1"..., 16777216) = 16777216

20

read(3, "sr/sbin/named\t/\t127.0.0.1\t53643\t"..., 16777216) = 16777216

21

read(3, "mpd\t/\t1\t1\t/bin/dash\t16\t0.0.0.0\nd"..., 16777216) = 16777216

22

read(3, "998\t/usr/lib64/nagios/plugins/ch"..., 16777216) = 16777216

23

read(3, "\t68\t107\t998\t/usr/sbin/nagios\t/\t1"..., 16777216) = 16777216

24

read(3, "/\t1\t1\t/usr/lib64/libasm.a\t16\t0.0"..., 16777216) = 16777216

25

read(3, "97\t/usr/sbin/ripd\t/\t172.16.16.2\t"..., 16777216) = 16777216

26

read(3, "usr/sbin/nagios\t/\t1\t1\t/var/nagio"..., 16777216) = 16777216

27

read(3, "bz.so.1.2.7\t17\t0.0.0.0\ndefault\t6"..., 16777216) = 16777216

28

read(3, "\t1\t/\t16\t0.0.0.0\ndefault\t68\t0\t0\t/"..., 16777216) = 16777216

29

read(3, "\t16\t0.0.0.0\ndefault\t68\t0\t0\t/usr/"..., 16777216) = 16777216

30

read(3, ".0\ndefault\t68\t107\t998\t/usr/lib64"..., 16777216) = 16777216

31

read(3, ".0\ndefault\t68\t0\t0\t/usr/libexec/p"..., 16777216) = 16777216

32

read(3, "7\t998\t/usr/bin/snmpget\t/\t1\t1\t/li"..., 16777216) = 16777216

33

read(3, "8.5\t/\t1\t1\t/usr/lib64/libeinfo.so"..., 16777216) = 16777216

34

read(3, "portage/app-editors/vim-7.3.762\t"..., 16777216) = 16777216

35

read(3, "/edb/dep/usr/portage/sys-kernel/"..., 16777216) = 16777216

36

read(3, "gins/check_ping\t/\t1\t1\t/etc/host."..., 16777216) = 16777216

37

read(3, "ault\t68\t0\t0\t/usr/sbin/cron\t/\t1\t1"..., 16777216) = 16777216

38

read(3, "s/plugins/check_ping\t/\t1\t1\t/usr/"..., 16777216) = 16777216

39

read(3, "1\t/usr/lib64/tcllib1.15/multiple"..., 16777216) = 16777216

40

read(3, "ck_ssh\t/\t127.0.0.1\t22\t1\t6\t2\t0.0."..., 16777216) = 16777216

41

read(3, "b64/libpthread-2.15.so\t17\t0.0.0."..., 16777216) = 16777216

42

read(3, "r/lib64/nagios/plugins/check_snm"..., 16777216) = 16777216

43

read(3, "sr/portage/app-shells/push-1.5\t1"..., 16777216) = 16777216

44

read(3, ".0.0\ndefault\t68\t107\t998\t/usr/bin"..., 16777216) = 16777216

45

read(3, "b64/tcllib1.15/soundex/pkgIndex."..., 16777216) = 16777216

46

read(3, "resolv-2.15.so\t8\t0.0.0.0\ndefault"..., 16777216) = 16777216

47

read(3, "/snmpget\t/\t1\t1\t/usr/share/snmp/m"..., 16777216) = 16777216

48

read(3, ".0\ndefault\t68\t0\t0\t/usr/bin/tclsh"..., 16777216) = 16777216

49

read(3, "s-2.15.so\t17\t0.0.0.0\ndefault\t68\t"..., 16777216) = 16777216

50

read(3, "ep/usr/portage/x11-drivers\t16\t0."..., 16777216) = 16777216

51

read(3, "on.weekly\t1\t1\t/var/cache/edb/dep"..., 16777216) = 16777216

52

read(3, "s/spool/checkresults/ceaNH06\t133"..., 16777216) = 16777216

53

read(3, "/bin/python3.2\t/\t1\t1\t/usr/lib64/"..., 16777216) = 16777216

54

^CProcess 23513 detached

and this strace  aftert ~20 hours later

60

61

# time strace -p 23513

62

Process 23513 attached

63

64

^CProcess 23513 detached

65

strace -p 23513  0,00s user 0,00s system 0% cpu 3:37,59 total

66

67

# vdir -h /etc/grsec/learning.logs

68

-rw------- 1 root root 2,2G Nov 19 15:30 /etc/grsec/learning.logs

69

70

Any and all suggestions are welcome.

71

72

73

gradm log

74

75

Beginning full learning object reduction for subject /bin/rm...done.

76

Beginning full learning object reduction for subject /bin/su...done.

77

Beginning full learning object reduction for subject /bin/touch...done.

78

Beginning full learning object reduction for subject /bin/zsh...done.

79

Beginning full learning object reduction for subject /etc/cron.daily...done.

80

Beginning full learning object reduction for subject /etc/cron.weekly...done.

81

Beginning full learning object reduction for subject /etc/init.d/net.lo...done.

82

Beginning full learning object reduction for subject

83

/lib64/dhcpcd/dhcpcd-run-hooks...done.

84

Beginning full learning object reduction for subject /sbin/dhcpcd...done.

85

Beginning full learning object reduction for subject /sbin/udevd...done.

86

Beginning full learning object reduction for subject /sbin/xtables-multi...done.

87

Beginning full learning object reduction for subject

88

/usr/bin/bcfg2-report-collector-python2.7...done.

89

Beginning full learning object reduction for subject

90

/usr/bin/bcfg2-server-python2.7...done.

91

Beginning full learning object reduction for subject

92

/usr/bin/fail2ban-server...done.

93

Beginning full learning object reduction for subject /usr/bin/logger...done.

94

Beginning full learning object reduction for subject /usr/bin/python3.2...done.

95

Beginning full learning object reduction for subject /usr/bin/rsync...done.

96

Beginning full learning object reduction for subject /usr/bin/top...done.

97

Beginning full learning object reduction for subject /usr/bin/whois...done.

98

Beginning full learning object reduction for subject

99

/usr/libexec/dovecot/auth...done.

100

Beginning full learning object reduction for subject

101

/usr/libexec/dovecot/config...done.

102

Beginning full learning object reduction for subject

103

/usr/libexec/dovecot/imap...done.

104

Beginning full learning object reduction for subject

105

/usr/libexec/dovecot/imap-login...done.

106

Beginning full learning object reduction for subject

107

/usr/libexec/dovecot/ssl-params...done.

108

Beginning full learning object reduction for subject

109

/usr/libexec/postfix/cleanup...done.

110

Beginning full learning object reduction for subject

111

/usr/libexec/postfix/local...done.

112

Beginning full learning object reduction for subject

113

/usr/libexec/postfix/master...done.

114

Beginning full learning object reduction for subject

115

/usr/libexec/postfix/pickup...done.

116

Beginning full learning object reduction for subject

117

/usr/libexec/postfix/smtp...done.

118

Beginning full learning object reduction for subject

119

/usr/libexec/postfix/smtpd...done.

120

Beginning full learning object reduction for subject

121

/usr/libexec/postfix/trivial-rewrite...done.

122

Beginning full learning object reduction for subject

123

/usr/libexec/postfix/verify...done.

124

Beginning full learning object reduction for subject /usr/sbin/apache2...done.

125

Beginning full learning object reduction for subject /usr/sbin/collectd...done.

126

Beginning full learning object reduction for subject /usr/sbin/cron...done.

127

Beginning full learning object reduction for subject /usr/sbin/dovecot...done.

128

Beginning full learning object reduction for subject /usr/sbin/ntpd...done.

129

Beginning full learning object reduction for subject /usr/sbin/postdrop...done.

130

Beginning full learning object reduction for subject /usr/sbin/ripd...done.

131

Beginning full learning object reduction for subject /usr/sbin/rsyslogd...done.

132

Beginning full learning object reduction for subject /usr/sbin/sendmail...done.

133

Beginning full learning object reduction for subject /usr/sbin/snmpd...done.

134

Beginning full learning object reduction for subject /usr/sbin/sshd...done.

135

Beginning full learning object reduction for subject /usr/sbin/zebra...done.

136

Beginning full learning object reduction for subject /etc/cron.daily...done.

137

Beginning full learning object reduction for subject /...done.

138

Beginning full learning object reduction for subject

139

/usr/libexec/dovecot/auth...done.

140

Beginning full learning object reduction for subject

141

/usr/libexec/dovecot/imap-login...done.

142

Beginning full learning object reduction for subject /...done.

143

Beginning full learning object reduction for subject /...done.

144

Beginning full learning object reduction for subject /usr/sbin/apache2...done.

145

Beginning full learning object reduction for subject /...done.

146

Beginning full learning object reduction for subject /bin/ip...done.

147

Beginning full learning object reduction for subject /bin/su...done.

148

Beginning full learning object reduction for subject /usr/bin/top...done.

149

Beginning full learning object reduction for subject

150

/usr/libexec/postfix/cleanup...done.

151

Beginning full learning object reduction for subject

152

/usr/libexec/postfix/pickup...done.

153

Beginning full learning object reduction for subject

154

/usr/libexec/postfix/qmgr...done.

155

Beginning full learning object reduction for subject

156

/usr/libexec/postfix/smtp...done.

157

Beginning full learning object reduction for subject

158

/usr/libexec/postfix/smtpd...done.

159

Beginning full learning object reduction for subject

160

/usr/libexec/postfix/verify...done.

161

Beginning full learning object reduction for subject /usr/sbin/openvpn...done.

162

Beginning full learning object reduction for subject /...done.

163

Beginning full learning object reduction for subject /bin/ping...done.

164

Beginning full learning object reduction for subject /bin/ps...done.

165

Beginning full learning object reduction for subject /usr/bin/snmpget...done.

166

Beginning full learning object reduction for subject

167

/usr/lib64/nagios/plugins/check_http...done.

168

Beginning full learning object reduction for subject

169

/usr/lib64/nagios/plugins/check_ping...done.

170

Beginning full learning object reduction for subject

171

/usr/lib64/nagios/plugins/check_ssh...done.

172

Beginning full learning object reduction for subject

173

/usr/lib64/nagios/plugins/check_tcp...done.

174

Beginning full learning object reduction for subject /usr/sbin/nagios...

1	Hello!
2
3	After ~20 hours after running
4
5	# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/
6
7	gradm not stopped.
8
9
10
11	PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
12	23513 root 20 0 288m 273m 1308 R 99,6 15,9 1008:37 gradm
13
14	This strace immediately after running gradm
15
16	# strace -p 23513
17	Process 23513 attached
18	read(3, "usr/bin/python3.2\t/etc/cron.week"..., 16777216) = 16777216
19	read(3, "\t1\t1\t/etc/ssh/ssh_host_dsa_key\t1"..., 16777216) = 16777216
20	read(3, "sr/sbin/named\t/\t127.0.0.1\t53643\t"..., 16777216) = 16777216
21	read(3, "mpd\t/\t1\t1\t/bin/dash\t16\t0.0.0.0\nd"..., 16777216) = 16777216
22	read(3, "998\t/usr/lib64/nagios/plugins/ch"..., 16777216) = 16777216
23	read(3, "\t68\t107\t998\t/usr/sbin/nagios\t/\t1"..., 16777216) = 16777216
24	read(3, "/\t1\t1\t/usr/lib64/libasm.a\t16\t0.0"..., 16777216) = 16777216
25	read(3, "97\t/usr/sbin/ripd\t/\t172.16.16.2\t"..., 16777216) = 16777216
26	read(3, "usr/sbin/nagios\t/\t1\t1\t/var/nagio"..., 16777216) = 16777216
27	read(3, "bz.so.1.2.7\t17\t0.0.0.0\ndefault\t6"..., 16777216) = 16777216
28	read(3, "\t1\t/\t16\t0.0.0.0\ndefault\t68\t0\t0\t/"..., 16777216) = 16777216
29	read(3, "\t16\t0.0.0.0\ndefault\t68\t0\t0\t/usr/"..., 16777216) = 16777216
30	read(3, ".0\ndefault\t68\t107\t998\t/usr/lib64"..., 16777216) = 16777216
31	read(3, ".0\ndefault\t68\t0\t0\t/usr/libexec/p"..., 16777216) = 16777216
32	read(3, "7\t998\t/usr/bin/snmpget\t/\t1\t1\t/li"..., 16777216) = 16777216
33	read(3, "8.5\t/\t1\t1\t/usr/lib64/libeinfo.so"..., 16777216) = 16777216
34	read(3, "portage/app-editors/vim-7.3.762\t"..., 16777216) = 16777216
35	read(3, "/edb/dep/usr/portage/sys-kernel/"..., 16777216) = 16777216
36	read(3, "gins/check_ping\t/\t1\t1\t/etc/host."..., 16777216) = 16777216
37	read(3, "ault\t68\t0\t0\t/usr/sbin/cron\t/\t1\t1"..., 16777216) = 16777216
38	read(3, "s/plugins/check_ping\t/\t1\t1\t/usr/"..., 16777216) = 16777216
39	read(3, "1\t/usr/lib64/tcllib1.15/multiple"..., 16777216) = 16777216
40	read(3, "ck_ssh\t/\t127.0.0.1\t22\t1\t6\t2\t0.0."..., 16777216) = 16777216
41	read(3, "b64/libpthread-2.15.so\t17\t0.0.0."..., 16777216) = 16777216
42	read(3, "r/lib64/nagios/plugins/check_snm"..., 16777216) = 16777216
43	read(3, "sr/portage/app-shells/push-1.5\t1"..., 16777216) = 16777216
44	read(3, ".0.0\ndefault\t68\t107\t998\t/usr/bin"..., 16777216) = 16777216
45	read(3, "b64/tcllib1.15/soundex/pkgIndex."..., 16777216) = 16777216
46	read(3, "resolv-2.15.so\t8\t0.0.0.0\ndefault"..., 16777216) = 16777216
47	read(3, "/snmpget\t/\t1\t1\t/usr/share/snmp/m"..., 16777216) = 16777216
48	read(3, ".0\ndefault\t68\t0\t0\t/usr/bin/tclsh"..., 16777216) = 16777216
49	read(3, "s-2.15.so\t17\t0.0.0.0\ndefault\t68\t"..., 16777216) = 16777216
50	read(3, "ep/usr/portage/x11-drivers\t16\t0."..., 16777216) = 16777216
51	read(3, "on.weekly\t1\t1\t/var/cache/edb/dep"..., 16777216) = 16777216
52	read(3, "s/spool/checkresults/ceaNH06\t133"..., 16777216) = 16777216
53	read(3, "/bin/python3.2\t/\t1\t1\t/usr/lib64/"..., 16777216) = 16777216
54	^CProcess 23513 detached
55
56
57
58
59	and this strace aftert ~20 hours later
60
61	# time strace -p 23513
62	Process 23513 attached
63
64	^CProcess 23513 detached
65	strace -p 23513 0,00s user 0,00s system 0% cpu 3:37,59 total
66
67	# vdir -h /etc/grsec/learning.logs
68	-rw------- 1 root root 2,2G Nov 19 15:30 /etc/grsec/learning.logs
69
70	Any and all suggestions are welcome.
71
72
73	gradm log
74
75	Beginning full learning object reduction for subject /bin/rm...done.
76	Beginning full learning object reduction for subject /bin/su...done.
77	Beginning full learning object reduction for subject /bin/touch...done.
78	Beginning full learning object reduction for subject /bin/zsh...done.
79	Beginning full learning object reduction for subject /etc/cron.daily...done.
80	Beginning full learning object reduction for subject /etc/cron.weekly...done.
81	Beginning full learning object reduction for subject /etc/init.d/net.lo...done.
82	Beginning full learning object reduction for subject
83	/lib64/dhcpcd/dhcpcd-run-hooks...done.
84	Beginning full learning object reduction for subject /sbin/dhcpcd...done.
85	Beginning full learning object reduction for subject /sbin/udevd...done.
86	Beginning full learning object reduction for subject /sbin/xtables-multi...done.
87	Beginning full learning object reduction for subject
88	/usr/bin/bcfg2-report-collector-python2.7...done.
89	Beginning full learning object reduction for subject
90	/usr/bin/bcfg2-server-python2.7...done.
91	Beginning full learning object reduction for subject
92	/usr/bin/fail2ban-server...done.
93	Beginning full learning object reduction for subject /usr/bin/logger...done.
94	Beginning full learning object reduction for subject /usr/bin/python3.2...done.
95	Beginning full learning object reduction for subject /usr/bin/rsync...done.
96	Beginning full learning object reduction for subject /usr/bin/top...done.
97	Beginning full learning object reduction for subject /usr/bin/whois...done.
98	Beginning full learning object reduction for subject
99	/usr/libexec/dovecot/auth...done.
100	Beginning full learning object reduction for subject
101	/usr/libexec/dovecot/config...done.
102	Beginning full learning object reduction for subject
103	/usr/libexec/dovecot/imap...done.
104	Beginning full learning object reduction for subject
105	/usr/libexec/dovecot/imap-login...done.
106	Beginning full learning object reduction for subject
107	/usr/libexec/dovecot/ssl-params...done.
108	Beginning full learning object reduction for subject
109	/usr/libexec/postfix/cleanup...done.
110	Beginning full learning object reduction for subject
111	/usr/libexec/postfix/local...done.
112	Beginning full learning object reduction for subject
113	/usr/libexec/postfix/master...done.
114	Beginning full learning object reduction for subject
115	/usr/libexec/postfix/pickup...done.
116	Beginning full learning object reduction for subject
117	/usr/libexec/postfix/smtp...done.
118	Beginning full learning object reduction for subject
119	/usr/libexec/postfix/smtpd...done.
120	Beginning full learning object reduction for subject
121	/usr/libexec/postfix/trivial-rewrite...done.
122	Beginning full learning object reduction for subject
123	/usr/libexec/postfix/verify...done.
124	Beginning full learning object reduction for subject /usr/sbin/apache2...done.
125	Beginning full learning object reduction for subject /usr/sbin/collectd...done.
126	Beginning full learning object reduction for subject /usr/sbin/cron...done.
127	Beginning full learning object reduction for subject /usr/sbin/dovecot...done.
128	Beginning full learning object reduction for subject /usr/sbin/ntpd...done.
129	Beginning full learning object reduction for subject /usr/sbin/postdrop...done.
130	Beginning full learning object reduction for subject /usr/sbin/ripd...done.
131	Beginning full learning object reduction for subject /usr/sbin/rsyslogd...done.
132	Beginning full learning object reduction for subject /usr/sbin/sendmail...done.
133	Beginning full learning object reduction for subject /usr/sbin/snmpd...done.
134	Beginning full learning object reduction for subject /usr/sbin/sshd...done.
135	Beginning full learning object reduction for subject /usr/sbin/zebra...done.
136	Beginning full learning object reduction for subject /etc/cron.daily...done.
137	Beginning full learning object reduction for subject /...done.
138	Beginning full learning object reduction for subject
139	/usr/libexec/dovecot/auth...done.
140	Beginning full learning object reduction for subject
141	/usr/libexec/dovecot/imap-login...done.
142	Beginning full learning object reduction for subject /...done.
143	Beginning full learning object reduction for subject /...done.
144	Beginning full learning object reduction for subject /usr/sbin/apache2...done.
145	Beginning full learning object reduction for subject /...done.
146	Beginning full learning object reduction for subject /bin/ip...done.
147	Beginning full learning object reduction for subject /bin/su...done.
148	Beginning full learning object reduction for subject /usr/bin/top...done.
149	Beginning full learning object reduction for subject
150	/usr/libexec/postfix/cleanup...done.
151	Beginning full learning object reduction for subject
152	/usr/libexec/postfix/pickup...done.
153	Beginning full learning object reduction for subject
154	/usr/libexec/postfix/qmgr...done.
155	Beginning full learning object reduction for subject
156	/usr/libexec/postfix/smtp...done.
157	Beginning full learning object reduction for subject
158	/usr/libexec/postfix/smtpd...done.
159	Beginning full learning object reduction for subject
160	/usr/libexec/postfix/verify...done.
161	Beginning full learning object reduction for subject /usr/sbin/openvpn...done.
162	Beginning full learning object reduction for subject /...done.
163	Beginning full learning object reduction for subject /bin/ping...done.
164	Beginning full learning object reduction for subject /bin/ps...done.
165	Beginning full learning object reduction for subject /usr/bin/snmpget...done.
166	Beginning full learning object reduction for subject
167	/usr/lib64/nagios/plugins/check_http...done.
168	Beginning full learning object reduction for subject
169	/usr/lib64/nagios/plugins/check_ping...done.
170	Beginning full learning object reduction for subject
171	/usr/lib64/nagios/plugins/check_ssh...done.
172	Beginning full learning object reduction for subject
173	/usr/lib64/nagios/plugins/check_tcp...done.
174	Beginning full learning object reduction for subject /usr/sbin/nagios...

Gentoo Archives: gentoo-hardened