prelude-lml 1.0.0-5.3 / etc / prelude-lml / ruleset / grsecurity.rules

#####
#
# Copyright (C) 2005 PreludeIDS Technologies. All Rights Reserved.
# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by 
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

# *exhaustive* err..*extensive* grsecurity support for Prelude-LML



###################### GRSEC 2 ####################

# /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0"

regex=uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent; id=693; \
 source(0).user.category=application; \ 
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).number=$1; \
 source(0).user.user_id(1).type=user-privs; \
 source(0).user.user_id(1).number=$2; \
 source(0).user.user_id(2).type=current-group; \
 source(0).user.user_id(2).number=$3; \
 source(0).user.user_id(3).type=group-privs; \
 source(0).user.user_id(3).number=$4; \
 chained; silent;

#
# generic grsec2 goto rules
regex=(to|on|against) ([^[ ]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent ([^[]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+); \
 id=691; \
 revision = 1; \
 target(0).process.path=$2; \
 target(0).process.name=$3; \
 target(0).process.pid=$4; \
 target(0).user.category=application; \
 target(0).user.user_id(0).type=current-user; \
 target(0).user.user_id(0).number=$5; \
 target(0).user.user_id(1).type=user-privs; \
 target(0).user.user_id(1).number=$6; \
 target(0).user.user_id(2).type=current-group; \
 target(0).user.user_id(2).number=$7; \
 target(0).user.user_id(3).type=group-privs; \
 target(0).user.user_id(3).number=$8; \
# target(1).process.path = $9; \
# target(1).process.name = $10; \
# target(1).process.pid = $11; \
# target(1).user.user_id(0).type = current-user; \
# target(1).user.user_id(0).number = $12; \
# target(1).user.user_id(1).type = user-privs; \
# target(1).user.user_id(1).number = $13; \
# target(1).user.user_id(2).type = current-group; \
# target(1).user.user_id(2).number = $14; \
# target(1).user.user_id(3).type = group-privs; \
# target(1).user.user_id(3).number = $15; \
 chained; silent;

regex=(by|for) (IP:([^ ]+) )?([^[ ]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?, parent ([^[]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?; optgoto=693; \
 id=692; \
 revision = 1; \
 source(0).node.address(0).address = $3; \
 source(0).process.path=$4; \
 source(0).process.name=$5; \
 source(0).process.pid=$6; \
 chained; silent;


#
# generic grsec2 goto rules
regex=From (\S+):; \
 id=693; \
 revision = 1; \
 source(0).node.address(0).address = $1; \
 chained; silent;


regex=denied; id=694; assessment.impact.completion = failed; chained; silent;
regex=successful; id=695; assessment.impact.completion = succeeded; chained; silent;




##############

#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
#
#LOG: FIXME
#
regex=denied ptrace of ([^(]+)([^:]+:(\d+)) by ; goto=692; optgoto=693-695; \
 classification.text=Denied ptrace; \
 id=603; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).process.path = $1; \
 target(0).process.name = $2; \
 target(0).process.pid = $3; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was made to ptrace $1. Access was denied. \
 last

##
#define GR_IOPERM_MSG "denied use of ioperm() by "
#define GR_IOPL_MSG "denied use of iopl() by "
#
#LOG: FIXME
regex=denied use of (ioperm|iopl)\(\) by ; goto=692; optgoto=693-695; \
 classification.text=Denied user of $1; \
 id=603; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 last


##
#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
#LOG: FIXME

##
#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
#LOG: FIXME


##
#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
#
#LOG: Jan 11 01:40:09 gw kernel: grsec: From X: denied attach of shared memory outside of chroot by /chroot/usr/local/apache/bin/httpd[httpd:21579] uid/euid:1000/1000 gid/egid:103/103, parent /chroot/apache/usr/local/apache/bin/httpd[httpd:20755] uid/euid:0/0 gid/egid:0/0

regex=denied attach of shared memory outside of chroot by; goto=692; \
 classification.text=Denied attach of shared memory segment; \
 id=604; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.severity=low; \
 assessment.impact.description=Denied attach of shared memory segment outside of chroot; \
 last


##
#define GR_KMEM_MSG "denied write of /dev/kmem by "
#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
#
#LOG: FIXME
#
regex=denied ((mmap )?write|open) of (/dev/[^ ]+) by; optgoto=693-694; \
 classification.text=Denied $1 of $2; \
 id=602; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was denied to $1 $2.; \
 last


#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"


#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
#
#LOG: Jan 14 10:48:00 gw kernel: grsec: (default:D:/) denied access to hidden file /tmp by /bin/bash[bash:8531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18897] uid/euid:1000/1000 gid/egid:1000/1000
#
regex=denied access to hidden file ([^ ]+) by ; \
goto=692; optgoto=693-695; \
 classification.text=Denied access to hidden file; \
 id=608; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).file(0).path = $1; \
 target(0).file(0).category = current; \
 assessment.impact.completion=failed; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was made to access the hidden file $1.  This access was denied by the ACL system.  This could have resulted from an incomplete ACL, or an attack may be in progress on your system.; \
 last


#######
#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
#
#LOG: FIXME
#
regex=(denied|successful) (open|create|writing) (of|FIFO) for ; \
 classification.text=Potential FIFO race; \
 id=609; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was made to write to a FIFO in a world-writable +t directory that was created by a non-root user.  This attempt was denied.  It is possible that this was the result of an intentional FIFO race on your system.; \
 last


#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied mknod of /tmp/test00030374_mknod from chroot by /root/regression/chroot_mknod_test[chroot_mknod_te:30374] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0

regex=denied mknod of ([^ ]+) from chroot by ; \
goto=692; optgoto=693-695; \
 classification.text=Denied mknod from chroot; \
 id=610; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 target(0).file(0).path = $1; \
 target(0).file(0).category = current; \
 assessment.impact.description=An attempt was made to mknod the device $1 from a chroot jail.; \
 last



#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
#
#LOG: Jan 11 01:40:09 gw kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /bin/login[login:31903] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
#
regex=(denied|successful) connect\(\) to the unix domain socket ([^ ]+) by ; \
goto=692; optgoto=693-694; \
classification.text=Attempted UNIX connect; \
 id=674; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).file(0).name = $2; \
 target(0).file(0).category = current; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt to connect to the unix domain socket $2 was $1.; \
 last;


#######
# Special case, we can't use 692 here.
#
#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
#
#LOG: Jan 11 01:35:04 gw kernel: grsec: terminal being sniffed by IP:0.0.0.0 /usr/bin/vmnet-natd[vmnet-natd:574], parent /sbin/init[init:1] against /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0
#
regex=terminal being sniffed by; \
 goto=691; goto=692;\
 classification.text=Terminal sniffed; \
 id=675; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 last;


#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "


#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
#
# LOG: FIXME
#
regex=(denied|successful) (rename|link|symlink) (of|from) ([^ ]+) to ([^ ]+) by ; \
 goto=692; optgoto=693-694; \
 classification.text=Attempted $2; \
 id=618; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).file(0).path = $4; \
 target(0).file(0).category = current; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was made to $2 $4 to $5. Access was $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \
 last


#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
#define GR_NPROC_MSG "denied overstep of process limit by "


#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
#
regex=possible exploit bruteforcing on; goto=691; regex=banning uid (\d+) from login for (\d+) seconds; \
 optgoto=692-694; \
 classification.text=Possible exploit bruteforcing; \
 id=622; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=original-user; \
 source(0).user.user_id(0).number=$1; \
 assessment.impact.description=A possible exploit bruteforce attempt was made. The user with uid $1 has been banned from logging in for $2 seconds for causing this alert.; \
 last

#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
#

regex=possible exploit bruteforcing on; goto=691; regex=banning execution for (\d+) seconds; \
 optgoto=692-694; \
 classification.text=Possible exploit bruteforcing; \
 id=623; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=A possible exploit bruteforce attempt was made. The process being bruteforced is banned from execution for $1 seconds.; \
 last


#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "

#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
#
#LOG: Jan 13 15:20:27 gw kernel: grsec: denied chmod +s /tmp/test0008410_chmod by /root/regression/chroot_chmod_test[chroot_chmod_te:8410] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:15418] uid/euid:0/0 gid/egid:0/0

regex=denied chmod \+s ([^ ]+) by ; \
goto=692; optgoto=692-695; \
 classification.text=Denied chmod +s from chroot; \
 id=638; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was made to chmod +s the file $1.  Access was denied.; \
 last


#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied fchdir outside of chroot to /etc by /root/regression/chroot_fchdir_test[chroot_fchdir_t:9025] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0

regex=denied fchdir outside of chroot to ([^ ]+) by; \
goto=692; optgoto=693-695;  \
 classification.text=Denied fchdir out of chroot; \
 id=631; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).file(0).path = $1; \
 target(0).file(0).category = current; \ 
 assessment.impact.completion=failed; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was made to fchdir out of a chroot jail to the directory $1.  Access was denied.; \
 last


#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
#define GR_INITF_ACL_MSG "init_variables() failed %s by "
#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "



#######

##
#define GR_SHUTS_ACL_MSG "shutdown auth success for "
#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
#
#LOG: Jan 11 01:36:27 gw kernel: grsec: shutdown auth success for /sbin/gradm[gradm:27128] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:14872] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 11 01:51:59 gw kernel: grsec: (default:D:/sbin/gradm) shutdown auth failure for /sbin/gradm[gradm:8974] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:27363] uid/euid:0/0 gid/egid:0/0
#
regex=shutdown auth (success|failure) for; goto=692; optgoto=693-694; \
classification.text=Grsecurity ACL shutdown; \
 id=676; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 source(0).node.address(0).address = $1; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 last;

#######

#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "

######
#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
#
#LOG: FIXME
regex=segvmod auth (success|failure); \
 classification.text=ACL system segvmod $1; \
 id=644; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.type=admin; \
 assessment.impact.severity=high; \
 assessment.impact.description=$1 in removing a ban on a user or binary due to possible exploit bruteforcing.; \
 last

#######
#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
#
#LOG: FIXME
regex=ignoring segvmod for disabled RBAC system for ; \
 classification.text=ACL system segvmod ignored; \
 id=646; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=admin; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was ignored to remove a ban on a user or binary due to possible exploit bruteforcing.; \
 last


#######
#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
#LOG: Jan 11 01:35:04 gw kernel: grsec: (default:D:/sbin/gradm) grsecurity 2.1.1 RBAC system loaded by /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0

regex=RBAC system loaded by; goto=692; \
 classification.text=RBAC system loaded; \
 id=647; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=admin; \
 assessment.impact.severity=high; \
 assessment.impact.description=The RBAC system was successfully loaded.; \
 last


####
#define GR_ENABLEF_ACL_MSG "unable to load %s for "
#define GR_RELOADF_ACL_MSG "failed reload of %s for "
#
#LOG:FIXME
#
regex=(unable to|failed) (load|reload); goto=692; \
 classification.text=$2 failed; \
 id=649; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=admin; \
 assessment.impact.severity=high; \
 assessment.impact.description=Failed attempt to $2 the ACL system.;\
 last


#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
#define GR_SPROLEF_ACL_MSG "special role %s failure for "
#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
#define GR_INVMODE_ACL_MSG "invalid mode %d by "

#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied priority change of process (chroot_nice_tes:15707) by /root/regression/chroot_nice_test[chroot_nice_tes:15707] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0

regex=denied priority change of process \(([^:]+):(\d+)\) by ; \
goto=692; optgoto=693-695; \
 classification.text=Denied process priority change; \
 id=658; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 target(0).process.name=$1; \
 target(0).process.pid=$2; \
 assessment.impact.description=An attempt was made to change the priority of a process.  Access was denied.; \
 last



####
#define GR_FAILFORK_MSG "failed fork with errno %d by "
#
#LOG: Mar 15 16:14:35 sysadmin kernel: grsec: From 192.168.1.25: failed fork with errno -11 by /root/test/fork-bomb[fork-bomb:4362] uid/euid:0/0 gid/egid:0/0, parent /root/test/fork-bomb[fork-bomb:4009] uid/euid:0/0 gid/egid:0/0

regex=failed fork with errno (-?\d+) by ([^[]+); \
optgoto=691; optgoto=692-695; \
 classification.text=Fork failure; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=Program $2 tried to fork and failed with errno $1.; \
 last


#define GR_NICE_CHROOT_MSG "denied priority change by "

##
#define GR_UNISIGLOG_MSG "signal %d sent to "
#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
#
#LOG: Jan  9 22:36:13 gw kernel: grsec: signal 11 sent to /usr/lib/vmware/bin/vmware-vmx[vmware-vmx:11733] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/vmware/bin/vmware[vmware:25692] uid/euid:1000/1000 gid/egid:1000/1000
#
#LOG:May  2 18:13:42 lt kernel: grsec: From 82.226.58.44: signal 11 sent to /usr/lib/paxtest/writetext[writetext:2806] uid/euid:1/2 gid/egid:3/4, parent /usr/lib/paxtest/writetext[writetext:23332] uid/euid:5/6 gid/egid:7/8

regex=signal (\d+) sent to; id=662; \
goto=691; optgoto=692-695; \
 classification.text=Signal $1 sent; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=Signal $1 was sent to a process.; \
 last

##
#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
#
#LOG: FIXME
regex=denied send of signal (\d+) to protected task; goto=691; goto=692; \
 classification.text=Denied signal to protected process; \
 id=664; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was made to send signal $1 to a protected process.  Access was denied.; \
 last

##
#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
#


#######

#define GR_TIME_MSG "time set by "
#
#LOG: Jan 10 06:32:09 gw kernel: grsec: time set by /usr/sbin/ntpdate[ntpdate:18730] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:24082] uid/euid:0/0 gid/egid:0/0
#
#LOG:Jun 19 15:53:23 lomo kernel: grsec: time set by /sbin/hwclock[hwclock:27144] uid/euid:1/2 gid/egid:3/4, parent /sbin/rc[rc:1229] uid/euid:5/6 gid/egid:7/8
#
#LOG:May  2 12:55:27 lsd kernel: grsec: From x.x.y.z: time set by /usr/bin/ntpd[ntpd:30864] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

regex=time set by; id = 669; \
goto=692; optgoto=692-694; \
 classification.text=System time changed; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=The system time was modified.; \
 last


#
#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "


#######
#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
#
#LOG:Jun 19 15:53:23 lomo kernel: grsec: From x.x.x.x: denied executable mmap of /var/www/blah.gif by /usr/sbin/apache-ssl[apache-ssl:257] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0

#
regex=(denied|successful) executable (mmap|mprotect) of ([^ ]+) by ; goto=691; optgoto=692-694; \
 classification.text=Attempted $2 executable; \
 id=670; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 target(0).file(0).name = $3; \
 assessment.impact.description=An attempt was made to $2 the file $3 executable. Access was $1.; \
 last


#######
#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
#
#LOG:Jul 10 01:15:47 worker kernel: grsec: (root:U:/usr/lib/cgi-bin/awstats.pl) denied socket(inet,stream,ip) by /usr/lib/cgi-bin/awstats.pl[awstats.pl:22937] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:29005] uid/euid:0/0 gid/egid:0/0
#
regex=(successful|denied) socket\((\w+),(\w+),(\w+)\) by ; goto=692; optgoto=693-694; \
 classification.text=Attempted socket use; \
 id=671; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt to socket($2, $3, $4) was made.  Access was $1.; \
 last


#######
#define GR_BIND_MSG "denied bind() by "
#define GR_CONNECT_MSG "denied connect() by "
#
#LOG: FIXME
#
regex=denied (connect\(\)|bind\(\)) by; goto=692; optgoto=693-694; \
classification.text=Denied $1; \
 id=672; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt to $1 was denied.; \
 last

#######
#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
#
#LOG:Jul 10 01:15:47 worker kernel: grsec: From 1.2.3.4: (root:U:/usr/sbin/proftpd) denied bind() to 1.1.1.1 port 46304 sock type stream protocol tcp by /usr/sbin/proftpd[proftpd:27198] uid/euid:0/104 gid/egid:65534/65534, parent /usr/sbin/inetd[inetd:538] uid/euid:0/0 gid/egid:0/0

regex=denied (connect|bind)\(\) to (\d+\.\d+\.\d+\.\d+) port (\d+) sock type (\w+) protocol (\w+); \ 
goto=692; optgoto=693-694; \
classification.text=Denied $1; \
 id=673; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).node.address(0).address = $2; \
 target(0).service.port = $3; \
 target(0).service.iana_protocol_name = $4; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt to $1 to $2:$3 was denied.; \
 last


#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
#define GR_CAP_ACL_MSG "use of %s denied for "
#define GR_USRCHANGE_ACL_MSG "change to uid %d denied for "
#define GR_GRPCHANGE_ACL_MSG "change to gid %d denied for "

#######
#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
#
regex=(mount|unmount|remount) of ([^ ]+) by;  goto=691; optgoto=692-694; \
classification.text=Filesystem $1ed; \
 id=677; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).file(0).path = $2; \
 target(0).file(0).category = current; \
 assessment.impact.type=file; \
 assessment.impact.severity=medium; \
 assessment.impact.description=$2 was $1ed.; \
 last;


#######
#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
#
#LOG: Jan 13 12:08:42 gw kernel: grsec: From 192.168.1.25: chdir to /home/client/test by /bin/bash[bash:2532] uid/euid:1000/1000 gid/egid:2000/2000, parent /usr/sbin/sshd[sshd:2531] uid/euid:1000/1000 gid/egid:2000/2000
#
regex=chdir to ([^ ]+) by ; goto=692; optgoto=693-694; \
 classification.text=Attempted chdir; \
 id=630; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.description=An attempt was made to chdir to the directory $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \
 last


#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "

#LOG:Jan 13 12:08:42 gw kernel: grsec: exec of /sbin/start-stop-daemon (start-stop-daemon --stop --quiet --exec /sbin/klogd --pidfile /var/run/klogd.pid ) by /etc/init.d/klogd[K89klogd:7612] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/klogd[K89klogd:11922] uid/euid:0/0 gid/egid:0/0

regex=exec of ([^ ]+) \(([^ ]+) ([^)]+)\) by ; \
goto=692; optgoto=693-694; \
 classification.text=Binary executed; \
 id=682; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=file; \
 assessment.impact.severity=low; \
 target(0).process.name = $2; \
 target(0).process.path = $1; \
 target(0).process.arg(0) = $3; \
 assessment.impact.description=The command: $1 was executed.; \
 last


#######
#define GR_MSGQ_AUDIT_MSG "message queue created by "
#define GR_SEM_AUDIT_MSG "semaphore created by "
#
#LOG: Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: semaphore created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000 
#

regex=(semaphore|message queue) created by ; \
 classification.text=$1 created; \
 id=685; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=file; \
 assessment.impact.severity=low; \
 assessment.impact.description=A $1 was created.; \
 last


#######
#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
#
#LOG: Mar 22 11:25:29 sysadmin kernel: grsec: From 192.168.1.25: shared memory of size 1024 created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000
#
regex=shared memory of size (\d+) created by ; \
 classification.text=Shared memory created; \
 id=688; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=file; \
 assessment.impact.severity=low; \
 assessment.impact.description=Shared memory of size $1 was created.; \
 last



#######
#define GR_MSGQR_AUDIT_MSG "message queue of uid:%d euid:%d removed by "
#define GR_SEMR_AUDIT_MSG "semaphore of uid:%d euid:%d removed by "
#define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by "
#
#LOG: Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: shared memory of uid:1000 euid:1000 removed by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000
# 
regex=(message queue|semaphore|shared memory) of uid:(\d+) euid:(\d+) removed by ; \
 goto=692; optgoto=693-694; \
 classification.text=$1 removed; \
 id=684; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).number=$2; \
 target(0).user.user_id(1).type=user-privs; \
 target(0).user.user_id(1).number=$3; \
 assessment.impact.completion=succeeded; \
 assessment.impact.severity=low; \
 assessment.impact.description=A $1 was removed.; \
 last


#######
#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
#
#LOG: Jan 12 19:48:15 gw kernel: grsec: denied resource overstep by requesting 495360 for RLIMIT_DATA against limit 0 by /usr/bin/valgrind.bin[valgrind.bin:29839] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31044] uid/euid:0/0 gid/egid:0/0

regex=denied resource overstep by requesting (\d+) for (\w+) against limit (\d+) by ; \
 classification.text=Denied resource overstep; \
 goto=692; optgoto=693-694; \
 id=620; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=high; \
 assessment.impact.description=An attempt was denied to overstep the process limit.; \
 last


#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "



















#***  Groupped stuff ****
##
#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
#
#LOG: Jan 11 01:51:51 gw kernel: grsec: (default:D:/) denied open of /var/log/lastlog for reading writing by /bin/login[login:27363] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful open of /root/.nano_history for writing by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0

regex=(denied|successful) (open|access) of ([^ ]+) for (.*) by ; \
goto=692; optgoto=693-695; \
 classification.text=Attempted $2; \
 id=603; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 target(0).file(0).path = $3; \
 target(0).file(0).category = current; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=$1 $2 of $3 for $4. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \
 last


#######
#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
#
#LOG: Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful execution of /bin/blah by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: successful chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0


regex=(denied|successful) (mknod|mkdir|rmdir|unlink|untrusted exec|execution|truncate|access time change|fchmod|chmod|chown|executable mmap|executable mprotect) of ([^ ]+) by ; \
goto=692; optgoto=693-695; \
 classification.text=Attempted $2; \
 id=610; \
 revision=1; \
 analyzer(0).name=grsecurity; \
 analyzer(0).manufacturer=www.grsecurity.net; \
 analyzer(0).class=Kernel; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 target(0).file(0).path = $3; \
 target(0).file(0).category = current; \
 assessment.impact.description=An attempt was made to $2 the file $3. Access was $1.; \
 last