1 |
Hello! |
2 |
|
3 |
After ~20 hours after running |
4 |
|
5 |
# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/ |
6 |
|
7 |
gradm not stopped. |
8 |
|
9 |
|
10 |
|
11 |
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND |
12 |
23513 root 20 0 288m 273m 1308 R 99,6 15,9 1008:37 gradm |
13 |
|
14 |
This strace immediately after running gradm |
15 |
|
16 |
# strace -p 23513 |
17 |
Process 23513 attached |
18 |
read(3, "usr/bin/python3.2\t/etc/cron.week"..., 16777216) = 16777216 |
19 |
read(3, "\t1\t1\t/etc/ssh/ssh_host_dsa_key\t1"..., 16777216) = 16777216 |
20 |
read(3, "sr/sbin/named\t/\t127.0.0.1\t53643\t"..., 16777216) = 16777216 |
21 |
read(3, "mpd\t/\t1\t1\t/bin/dash\t16\t0.0.0.0\nd"..., 16777216) = 16777216 |
22 |
read(3, "998\t/usr/lib64/nagios/plugins/ch"..., 16777216) = 16777216 |
23 |
read(3, "\t68\t107\t998\t/usr/sbin/nagios\t/\t1"..., 16777216) = 16777216 |
24 |
read(3, "/\t1\t1\t/usr/lib64/libasm.a\t16\t0.0"..., 16777216) = 16777216 |
25 |
read(3, "97\t/usr/sbin/ripd\t/\t172.16.16.2\t"..., 16777216) = 16777216 |
26 |
read(3, "usr/sbin/nagios\t/\t1\t1\t/var/nagio"..., 16777216) = 16777216 |
27 |
read(3, "bz.so.1.2.7\t17\t0.0.0.0\ndefault\t6"..., 16777216) = 16777216 |
28 |
read(3, "\t1\t/\t16\t0.0.0.0\ndefault\t68\t0\t0\t/"..., 16777216) = 16777216 |
29 |
read(3, "\t16\t0.0.0.0\ndefault\t68\t0\t0\t/usr/"..., 16777216) = 16777216 |
30 |
read(3, ".0\ndefault\t68\t107\t998\t/usr/lib64"..., 16777216) = 16777216 |
31 |
read(3, ".0\ndefault\t68\t0\t0\t/usr/libexec/p"..., 16777216) = 16777216 |
32 |
read(3, "7\t998\t/usr/bin/snmpget\t/\t1\t1\t/li"..., 16777216) = 16777216 |
33 |
read(3, "8.5\t/\t1\t1\t/usr/lib64/libeinfo.so"..., 16777216) = 16777216 |
34 |
read(3, "portage/app-editors/vim-7.3.762\t"..., 16777216) = 16777216 |
35 |
read(3, "/edb/dep/usr/portage/sys-kernel/"..., 16777216) = 16777216 |
36 |
read(3, "gins/check_ping\t/\t1\t1\t/etc/host."..., 16777216) = 16777216 |
37 |
read(3, "ault\t68\t0\t0\t/usr/sbin/cron\t/\t1\t1"..., 16777216) = 16777216 |
38 |
read(3, "s/plugins/check_ping\t/\t1\t1\t/usr/"..., 16777216) = 16777216 |
39 |
read(3, "1\t/usr/lib64/tcllib1.15/multiple"..., 16777216) = 16777216 |
40 |
read(3, "ck_ssh\t/\t127.0.0.1\t22\t1\t6\t2\t0.0."..., 16777216) = 16777216 |
41 |
read(3, "b64/libpthread-2.15.so\t17\t0.0.0."..., 16777216) = 16777216 |
42 |
read(3, "r/lib64/nagios/plugins/check_snm"..., 16777216) = 16777216 |
43 |
read(3, "sr/portage/app-shells/push-1.5\t1"..., 16777216) = 16777216 |
44 |
read(3, ".0.0\ndefault\t68\t107\t998\t/usr/bin"..., 16777216) = 16777216 |
45 |
read(3, "b64/tcllib1.15/soundex/pkgIndex."..., 16777216) = 16777216 |
46 |
read(3, "resolv-2.15.so\t8\t0.0.0.0\ndefault"..., 16777216) = 16777216 |
47 |
read(3, "/snmpget\t/\t1\t1\t/usr/share/snmp/m"..., 16777216) = 16777216 |
48 |
read(3, ".0\ndefault\t68\t0\t0\t/usr/bin/tclsh"..., 16777216) = 16777216 |
49 |
read(3, "s-2.15.so\t17\t0.0.0.0\ndefault\t68\t"..., 16777216) = 16777216 |
50 |
read(3, "ep/usr/portage/x11-drivers\t16\t0."..., 16777216) = 16777216 |
51 |
read(3, "on.weekly\t1\t1\t/var/cache/edb/dep"..., 16777216) = 16777216 |
52 |
read(3, "s/spool/checkresults/ceaNH06\t133"..., 16777216) = 16777216 |
53 |
read(3, "/bin/python3.2\t/\t1\t1\t/usr/lib64/"..., 16777216) = 16777216 |
54 |
^CProcess 23513 detached |
55 |
|
56 |
|
57 |
|
58 |
|
59 |
and this strace aftert ~20 hours later |
60 |
|
61 |
# time strace -p 23513 |
62 |
Process 23513 attached |
63 |
|
64 |
^CProcess 23513 detached |
65 |
strace -p 23513 0,00s user 0,00s system 0% cpu 3:37,59 total |
66 |
|
67 |
# vdir -h /etc/grsec/learning.logs |
68 |
-rw------- 1 root root 2,2G Nov 19 15:30 /etc/grsec/learning.logs |
69 |
|
70 |
Any and all suggestions are welcome. |
71 |
|
72 |
|
73 |
gradm log |
74 |
|
75 |
Beginning full learning object reduction for subject /bin/rm...done. |
76 |
Beginning full learning object reduction for subject /bin/su...done. |
77 |
Beginning full learning object reduction for subject /bin/touch...done. |
78 |
Beginning full learning object reduction for subject /bin/zsh...done. |
79 |
Beginning full learning object reduction for subject /etc/cron.daily...done. |
80 |
Beginning full learning object reduction for subject /etc/cron.weekly...done. |
81 |
Beginning full learning object reduction for subject /etc/init.d/net.lo...done. |
82 |
Beginning full learning object reduction for subject |
83 |
/lib64/dhcpcd/dhcpcd-run-hooks...done. |
84 |
Beginning full learning object reduction for subject /sbin/dhcpcd...done. |
85 |
Beginning full learning object reduction for subject /sbin/udevd...done. |
86 |
Beginning full learning object reduction for subject /sbin/xtables-multi...done. |
87 |
Beginning full learning object reduction for subject |
88 |
/usr/bin/bcfg2-report-collector-python2.7...done. |
89 |
Beginning full learning object reduction for subject |
90 |
/usr/bin/bcfg2-server-python2.7...done. |
91 |
Beginning full learning object reduction for subject |
92 |
/usr/bin/fail2ban-server...done. |
93 |
Beginning full learning object reduction for subject /usr/bin/logger...done. |
94 |
Beginning full learning object reduction for subject /usr/bin/python3.2...done. |
95 |
Beginning full learning object reduction for subject /usr/bin/rsync...done. |
96 |
Beginning full learning object reduction for subject /usr/bin/top...done. |
97 |
Beginning full learning object reduction for subject /usr/bin/whois...done. |
98 |
Beginning full learning object reduction for subject |
99 |
/usr/libexec/dovecot/auth...done. |
100 |
Beginning full learning object reduction for subject |
101 |
/usr/libexec/dovecot/config...done. |
102 |
Beginning full learning object reduction for subject |
103 |
/usr/libexec/dovecot/imap...done. |
104 |
Beginning full learning object reduction for subject |
105 |
/usr/libexec/dovecot/imap-login...done. |
106 |
Beginning full learning object reduction for subject |
107 |
/usr/libexec/dovecot/ssl-params...done. |
108 |
Beginning full learning object reduction for subject |
109 |
/usr/libexec/postfix/cleanup...done. |
110 |
Beginning full learning object reduction for subject |
111 |
/usr/libexec/postfix/local...done. |
112 |
Beginning full learning object reduction for subject |
113 |
/usr/libexec/postfix/master...done. |
114 |
Beginning full learning object reduction for subject |
115 |
/usr/libexec/postfix/pickup...done. |
116 |
Beginning full learning object reduction for subject |
117 |
/usr/libexec/postfix/smtp...done. |
118 |
Beginning full learning object reduction for subject |
119 |
/usr/libexec/postfix/smtpd...done. |
120 |
Beginning full learning object reduction for subject |
121 |
/usr/libexec/postfix/trivial-rewrite...done. |
122 |
Beginning full learning object reduction for subject |
123 |
/usr/libexec/postfix/verify...done. |
124 |
Beginning full learning object reduction for subject /usr/sbin/apache2...done. |
125 |
Beginning full learning object reduction for subject /usr/sbin/collectd...done. |
126 |
Beginning full learning object reduction for subject /usr/sbin/cron...done. |
127 |
Beginning full learning object reduction for subject /usr/sbin/dovecot...done. |
128 |
Beginning full learning object reduction for subject /usr/sbin/ntpd...done. |
129 |
Beginning full learning object reduction for subject /usr/sbin/postdrop...done. |
130 |
Beginning full learning object reduction for subject /usr/sbin/ripd...done. |
131 |
Beginning full learning object reduction for subject /usr/sbin/rsyslogd...done. |
132 |
Beginning full learning object reduction for subject /usr/sbin/sendmail...done. |
133 |
Beginning full learning object reduction for subject /usr/sbin/snmpd...done. |
134 |
Beginning full learning object reduction for subject /usr/sbin/sshd...done. |
135 |
Beginning full learning object reduction for subject /usr/sbin/zebra...done. |
136 |
Beginning full learning object reduction for subject /etc/cron.daily...done. |
137 |
Beginning full learning object reduction for subject /...done. |
138 |
Beginning full learning object reduction for subject |
139 |
/usr/libexec/dovecot/auth...done. |
140 |
Beginning full learning object reduction for subject |
141 |
/usr/libexec/dovecot/imap-login...done. |
142 |
Beginning full learning object reduction for subject /...done. |
143 |
Beginning full learning object reduction for subject /...done. |
144 |
Beginning full learning object reduction for subject /usr/sbin/apache2...done. |
145 |
Beginning full learning object reduction for subject /...done. |
146 |
Beginning full learning object reduction for subject /bin/ip...done. |
147 |
Beginning full learning object reduction for subject /bin/su...done. |
148 |
Beginning full learning object reduction for subject /usr/bin/top...done. |
149 |
Beginning full learning object reduction for subject |
150 |
/usr/libexec/postfix/cleanup...done. |
151 |
Beginning full learning object reduction for subject |
152 |
/usr/libexec/postfix/pickup...done. |
153 |
Beginning full learning object reduction for subject |
154 |
/usr/libexec/postfix/qmgr...done. |
155 |
Beginning full learning object reduction for subject |
156 |
/usr/libexec/postfix/smtp...done. |
157 |
Beginning full learning object reduction for subject |
158 |
/usr/libexec/postfix/smtpd...done. |
159 |
Beginning full learning object reduction for subject |
160 |
/usr/libexec/postfix/verify...done. |
161 |
Beginning full learning object reduction for subject /usr/sbin/openvpn...done. |
162 |
Beginning full learning object reduction for subject /...done. |
163 |
Beginning full learning object reduction for subject /bin/ping...done. |
164 |
Beginning full learning object reduction for subject /bin/ps...done. |
165 |
Beginning full learning object reduction for subject /usr/bin/snmpget...done. |
166 |
Beginning full learning object reduction for subject |
167 |
/usr/lib64/nagios/plugins/check_http...done. |
168 |
Beginning full learning object reduction for subject |
169 |
/usr/lib64/nagios/plugins/check_ping...done. |
170 |
Beginning full learning object reduction for subject |
171 |
/usr/lib64/nagios/plugins/check_ssh...done. |
172 |
Beginning full learning object reduction for subject |
173 |
/usr/lib64/nagios/plugins/check_tcp...done. |
174 |
Beginning full learning object reduction for subject /usr/sbin/nagios... |