/etc/prelude-lml/ruleset/grsecurity.rules is in prelude-lml 1.0.0-5.3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 | #####
#
# Copyright (C) 2005 PreludeIDS Technologies. All Rights Reserved.
# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####
# *exhaustive* err..*extensive* grsecurity support for Prelude-LML
###################### GRSEC 2 ####################
# /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0"
regex=uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent; id=693; \
source(0).user.category=application; \
source(0).user.user_id(0).type=current-user; \
source(0).user.user_id(0).number=$1; \
source(0).user.user_id(1).type=user-privs; \
source(0).user.user_id(1).number=$2; \
source(0).user.user_id(2).type=current-group; \
source(0).user.user_id(2).number=$3; \
source(0).user.user_id(3).type=group-privs; \
source(0).user.user_id(3).number=$4; \
chained; silent;
#
# generic grsec2 goto rules
regex=(to|on|against) ([^[ ]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent ([^[]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+); \
id=691; \
revision = 1; \
target(0).process.path=$2; \
target(0).process.name=$3; \
target(0).process.pid=$4; \
target(0).user.category=application; \
target(0).user.user_id(0).type=current-user; \
target(0).user.user_id(0).number=$5; \
target(0).user.user_id(1).type=user-privs; \
target(0).user.user_id(1).number=$6; \
target(0).user.user_id(2).type=current-group; \
target(0).user.user_id(2).number=$7; \
target(0).user.user_id(3).type=group-privs; \
target(0).user.user_id(3).number=$8; \
# target(1).process.path = $9; \
# target(1).process.name = $10; \
# target(1).process.pid = $11; \
# target(1).user.user_id(0).type = current-user; \
# target(1).user.user_id(0).number = $12; \
# target(1).user.user_id(1).type = user-privs; \
# target(1).user.user_id(1).number = $13; \
# target(1).user.user_id(2).type = current-group; \
# target(1).user.user_id(2).number = $14; \
# target(1).user.user_id(3).type = group-privs; \
# target(1).user.user_id(3).number = $15; \
chained; silent;
regex=(by|for) (IP:([^ ]+) )?([^[ ]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?, parent ([^[]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?; optgoto=693; \
id=692; \
revision = 1; \
source(0).node.address(0).address = $3; \
source(0).process.path=$4; \
source(0).process.name=$5; \
source(0).process.pid=$6; \
chained; silent;
#
# generic grsec2 goto rules
regex=From (\S+):; \
id=693; \
revision = 1; \
source(0).node.address(0).address = $1; \
chained; silent;
regex=denied; id=694; assessment.impact.completion = failed; chained; silent;
regex=successful; id=695; assessment.impact.completion = succeeded; chained; silent;
##############
#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
#
#LOG: FIXME
#
regex=denied ptrace of ([^(]+)([^:]+:(\d+)) by ; goto=692; optgoto=693-695; \
classification.text=Denied ptrace; \
id=603; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).process.path = $1; \
target(0).process.name = $2; \
target(0).process.pid = $3; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was made to ptrace $1. Access was denied. \
last
##
#define GR_IOPERM_MSG "denied use of ioperm() by "
#define GR_IOPL_MSG "denied use of iopl() by "
#
#LOG: FIXME
regex=denied use of (ioperm|iopl)\(\) by ; goto=692; optgoto=693-695; \
classification.text=Denied user of $1; \
id=603; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
last
##
#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
#LOG: FIXME
##
#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
#LOG: FIXME
##
#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
#
#LOG: Jan 11 01:40:09 gw kernel: grsec: From X: denied attach of shared memory outside of chroot by /chroot/usr/local/apache/bin/httpd[httpd:21579] uid/euid:1000/1000 gid/egid:103/103, parent /chroot/apache/usr/local/apache/bin/httpd[httpd:20755] uid/euid:0/0 gid/egid:0/0
regex=denied attach of shared memory outside of chroot by; goto=692; \
classification.text=Denied attach of shared memory segment; \
id=604; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.severity=low; \
assessment.impact.description=Denied attach of shared memory segment outside of chroot; \
last
##
#define GR_KMEM_MSG "denied write of /dev/kmem by "
#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
#
#LOG: FIXME
#
regex=denied ((mmap )?write|open) of (/dev/[^ ]+) by; optgoto=693-694; \
classification.text=Denied $1 of $2; \
id=602; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was denied to $1 $2.; \
last
#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
#
#LOG: Jan 14 10:48:00 gw kernel: grsec: (default:D:/) denied access to hidden file /tmp by /bin/bash[bash:8531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18897] uid/euid:1000/1000 gid/egid:1000/1000
#
regex=denied access to hidden file ([^ ]+) by ; \
goto=692; optgoto=693-695; \
classification.text=Denied access to hidden file; \
id=608; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).file(0).path = $1; \
target(0).file(0).category = current; \
assessment.impact.completion=failed; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was made to access the hidden file $1. This access was denied by the ACL system. This could have resulted from an incomplete ACL, or an attack may be in progress on your system.; \
last
#######
#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
#
#LOG: FIXME
#
regex=(denied|successful) (open|create|writing) (of|FIFO) for ; \
classification.text=Potential FIFO race; \
id=609; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was made to write to a FIFO in a world-writable +t directory that was created by a non-root user. This attempt was denied. It is possible that this was the result of an intentional FIFO race on your system.; \
last
#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied mknod of /tmp/test00030374_mknod from chroot by /root/regression/chroot_mknod_test[chroot_mknod_te:30374] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0
regex=denied mknod of ([^ ]+) from chroot by ; \
goto=692; optgoto=693-695; \
classification.text=Denied mknod from chroot; \
id=610; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
target(0).file(0).path = $1; \
target(0).file(0).category = current; \
assessment.impact.description=An attempt was made to mknod the device $1 from a chroot jail.; \
last
#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
#
#LOG: Jan 11 01:40:09 gw kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /bin/login[login:31903] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
#
regex=(denied|successful) connect\(\) to the unix domain socket ([^ ]+) by ; \
goto=692; optgoto=693-694; \
classification.text=Attempted UNIX connect; \
id=674; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).file(0).name = $2; \
target(0).file(0).category = current; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt to connect to the unix domain socket $2 was $1.; \
last;
#######
# Special case, we can't use 692 here.
#
#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
#
#LOG: Jan 11 01:35:04 gw kernel: grsec: terminal being sniffed by IP:0.0.0.0 /usr/bin/vmnet-natd[vmnet-natd:574], parent /sbin/init[init:1] against /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0
#
regex=terminal being sniffed by; \
goto=691; goto=692;\
classification.text=Terminal sniffed; \
id=675; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
last;
#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
#
# LOG: FIXME
#
regex=(denied|successful) (rename|link|symlink) (of|from) ([^ ]+) to ([^ ]+) by ; \
goto=692; optgoto=693-694; \
classification.text=Attempted $2; \
id=618; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).file(0).path = $4; \
target(0).file(0).category = current; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was made to $2 $4 to $5. Access was $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \
last
#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
#define GR_NPROC_MSG "denied overstep of process limit by "
#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
#
regex=possible exploit bruteforcing on; goto=691; regex=banning uid (\d+) from login for (\d+) seconds; \
optgoto=692-694; \
classification.text=Possible exploit bruteforcing; \
id=622; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
source(0).user.category=os-device; \
source(0).user.user_id(0).type=original-user; \
source(0).user.user_id(0).number=$1; \
assessment.impact.description=A possible exploit bruteforce attempt was made. The user with uid $1 has been banned from logging in for $2 seconds for causing this alert.; \
last
#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
#
regex=possible exploit bruteforcing on; goto=691; regex=banning execution for (\d+) seconds; \
optgoto=692-694; \
classification.text=Possible exploit bruteforcing; \
id=623; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=A possible exploit bruteforce attempt was made. The process being bruteforced is banned from execution for $1 seconds.; \
last
#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
#
#LOG: Jan 13 15:20:27 gw kernel: grsec: denied chmod +s /tmp/test0008410_chmod by /root/regression/chroot_chmod_test[chroot_chmod_te:8410] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:15418] uid/euid:0/0 gid/egid:0/0
regex=denied chmod \+s ([^ ]+) by ; \
goto=692; optgoto=692-695; \
classification.text=Denied chmod +s from chroot; \
id=638; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was made to chmod +s the file $1. Access was denied.; \
last
#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied fchdir outside of chroot to /etc by /root/regression/chroot_fchdir_test[chroot_fchdir_t:9025] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0
regex=denied fchdir outside of chroot to ([^ ]+) by; \
goto=692; optgoto=693-695; \
classification.text=Denied fchdir out of chroot; \
id=631; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).file(0).path = $1; \
target(0).file(0).category = current; \
assessment.impact.completion=failed; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was made to fchdir out of a chroot jail to the directory $1. Access was denied.; \
last
#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
#define GR_INITF_ACL_MSG "init_variables() failed %s by "
#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
#######
##
#define GR_SHUTS_ACL_MSG "shutdown auth success for "
#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
#
#LOG: Jan 11 01:36:27 gw kernel: grsec: shutdown auth success for /sbin/gradm[gradm:27128] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:14872] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 11 01:51:59 gw kernel: grsec: (default:D:/sbin/gradm) shutdown auth failure for /sbin/gradm[gradm:8974] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:27363] uid/euid:0/0 gid/egid:0/0
#
regex=shutdown auth (success|failure) for; goto=692; optgoto=693-694; \
classification.text=Grsecurity ACL shutdown; \
id=676; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
source(0).node.address(0).address = $1; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
last;
#######
#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
######
#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
#
#LOG: FIXME
regex=segvmod auth (success|failure); \
classification.text=ACL system segvmod $1; \
id=644; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.type=admin; \
assessment.impact.severity=high; \
assessment.impact.description=$1 in removing a ban on a user or binary due to possible exploit bruteforcing.; \
last
#######
#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
#
#LOG: FIXME
regex=ignoring segvmod for disabled RBAC system for ; \
classification.text=ACL system segvmod ignored; \
id=646; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=admin; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was ignored to remove a ban on a user or binary due to possible exploit bruteforcing.; \
last
#######
#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
#LOG: Jan 11 01:35:04 gw kernel: grsec: (default:D:/sbin/gradm) grsecurity 2.1.1 RBAC system loaded by /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0
regex=RBAC system loaded by; goto=692; \
classification.text=RBAC system loaded; \
id=647; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=succeeded; \
assessment.impact.type=admin; \
assessment.impact.severity=high; \
assessment.impact.description=The RBAC system was successfully loaded.; \
last
####
#define GR_ENABLEF_ACL_MSG "unable to load %s for "
#define GR_RELOADF_ACL_MSG "failed reload of %s for "
#
#LOG:FIXME
#
regex=(unable to|failed) (load|reload); goto=692; \
classification.text=$2 failed; \
id=649; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=admin; \
assessment.impact.severity=high; \
assessment.impact.description=Failed attempt to $2 the ACL system.;\
last
#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
#define GR_SPROLEF_ACL_MSG "special role %s failure for "
#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
#define GR_INVMODE_ACL_MSG "invalid mode %d by "
#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied priority change of process (chroot_nice_tes:15707) by /root/regression/chroot_nice_test[chroot_nice_tes:15707] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0
regex=denied priority change of process \(([^:]+):(\d+)\) by ; \
goto=692; optgoto=693-695; \
classification.text=Denied process priority change; \
id=658; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
target(0).process.name=$1; \
target(0).process.pid=$2; \
assessment.impact.description=An attempt was made to change the priority of a process. Access was denied.; \
last
####
#define GR_FAILFORK_MSG "failed fork with errno %d by "
#
#LOG: Mar 15 16:14:35 sysadmin kernel: grsec: From 192.168.1.25: failed fork with errno -11 by /root/test/fork-bomb[fork-bomb:4362] uid/euid:0/0 gid/egid:0/0, parent /root/test/fork-bomb[fork-bomb:4009] uid/euid:0/0 gid/egid:0/0
regex=failed fork with errno (-?\d+) by ([^[]+); \
optgoto=691; optgoto=692-695; \
classification.text=Fork failure; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=Program $2 tried to fork and failed with errno $1.; \
last
#define GR_NICE_CHROOT_MSG "denied priority change by "
##
#define GR_UNISIGLOG_MSG "signal %d sent to "
#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
#
#LOG: Jan 9 22:36:13 gw kernel: grsec: signal 11 sent to /usr/lib/vmware/bin/vmware-vmx[vmware-vmx:11733] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/vmware/bin/vmware[vmware:25692] uid/euid:1000/1000 gid/egid:1000/1000
#
#LOG:May 2 18:13:42 lt kernel: grsec: From 82.226.58.44: signal 11 sent to /usr/lib/paxtest/writetext[writetext:2806] uid/euid:1/2 gid/egid:3/4, parent /usr/lib/paxtest/writetext[writetext:23332] uid/euid:5/6 gid/egid:7/8
regex=signal (\d+) sent to; id=662; \
goto=691; optgoto=692-695; \
classification.text=Signal $1 sent; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=succeeded; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=Signal $1 was sent to a process.; \
last
##
#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
#
#LOG: FIXME
regex=denied send of signal (\d+) to protected task; goto=691; goto=692; \
classification.text=Denied signal to protected process; \
id=664; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was made to send signal $1 to a protected process. Access was denied.; \
last
##
#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
#
#######
#define GR_TIME_MSG "time set by "
#
#LOG: Jan 10 06:32:09 gw kernel: grsec: time set by /usr/sbin/ntpdate[ntpdate:18730] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:24082] uid/euid:0/0 gid/egid:0/0
#
#LOG:Jun 19 15:53:23 lomo kernel: grsec: time set by /sbin/hwclock[hwclock:27144] uid/euid:1/2 gid/egid:3/4, parent /sbin/rc[rc:1229] uid/euid:5/6 gid/egid:7/8
#
#LOG:May 2 12:55:27 lsd kernel: grsec: From x.x.y.z: time set by /usr/bin/ntpd[ntpd:30864] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
regex=time set by; id = 669; \
goto=692; optgoto=692-694; \
classification.text=System time changed; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=succeeded; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=The system time was modified.; \
last
#
#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
#######
#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
#
#LOG:Jun 19 15:53:23 lomo kernel: grsec: From x.x.x.x: denied executable mmap of /var/www/blah.gif by /usr/sbin/apache-ssl[apache-ssl:257] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0
#
regex=(denied|successful) executable (mmap|mprotect) of ([^ ]+) by ; goto=691; optgoto=692-694; \
classification.text=Attempted $2 executable; \
id=670; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
target(0).file(0).name = $3; \
assessment.impact.description=An attempt was made to $2 the file $3 executable. Access was $1.; \
last
#######
#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
#
#LOG:Jul 10 01:15:47 worker kernel: grsec: (root:U:/usr/lib/cgi-bin/awstats.pl) denied socket(inet,stream,ip) by /usr/lib/cgi-bin/awstats.pl[awstats.pl:22937] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:29005] uid/euid:0/0 gid/egid:0/0
#
regex=(successful|denied) socket\((\w+),(\w+),(\w+)\) by ; goto=692; optgoto=693-694; \
classification.text=Attempted socket use; \
id=671; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt to socket($2, $3, $4) was made. Access was $1.; \
last
#######
#define GR_BIND_MSG "denied bind() by "
#define GR_CONNECT_MSG "denied connect() by "
#
#LOG: FIXME
#
regex=denied (connect\(\)|bind\(\)) by; goto=692; optgoto=693-694; \
classification.text=Denied $1; \
id=672; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt to $1 was denied.; \
last
#######
#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
#
#LOG:Jul 10 01:15:47 worker kernel: grsec: From 1.2.3.4: (root:U:/usr/sbin/proftpd) denied bind() to 1.1.1.1 port 46304 sock type stream protocol tcp by /usr/sbin/proftpd[proftpd:27198] uid/euid:0/104 gid/egid:65534/65534, parent /usr/sbin/inetd[inetd:538] uid/euid:0/0 gid/egid:0/0
regex=denied (connect|bind)\(\) to (\d+\.\d+\.\d+\.\d+) port (\d+) sock type (\w+) protocol (\w+); \
goto=692; optgoto=693-694; \
classification.text=Denied $1; \
id=673; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).node.address(0).address = $2; \
target(0).service.port = $3; \
target(0).service.iana_protocol_name = $4; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt to $1 to $2:$3 was denied.; \
last
#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
#define GR_CAP_ACL_MSG "use of %s denied for "
#define GR_USRCHANGE_ACL_MSG "change to uid %d denied for "
#define GR_GRPCHANGE_ACL_MSG "change to gid %d denied for "
#######
#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
#
regex=(mount|unmount|remount) of ([^ ]+) by; goto=691; optgoto=692-694; \
classification.text=Filesystem $1ed; \
id=677; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).file(0).path = $2; \
target(0).file(0).category = current; \
assessment.impact.type=file; \
assessment.impact.severity=medium; \
assessment.impact.description=$2 was $1ed.; \
last;
#######
#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
#
#LOG: Jan 13 12:08:42 gw kernel: grsec: From 192.168.1.25: chdir to /home/client/test by /bin/bash[bash:2532] uid/euid:1000/1000 gid/egid:2000/2000, parent /usr/sbin/sshd[sshd:2531] uid/euid:1000/1000 gid/egid:2000/2000
#
regex=chdir to ([^ ]+) by ; goto=692; optgoto=693-694; \
classification.text=Attempted chdir; \
id=630; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.description=An attempt was made to chdir to the directory $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \
last
#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
#LOG:Jan 13 12:08:42 gw kernel: grsec: exec of /sbin/start-stop-daemon (start-stop-daemon --stop --quiet --exec /sbin/klogd --pidfile /var/run/klogd.pid ) by /etc/init.d/klogd[K89klogd:7612] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/klogd[K89klogd:11922] uid/euid:0/0 gid/egid:0/0
regex=exec of ([^ ]+) \(([^ ]+) ([^)]+)\) by ; \
goto=692; optgoto=693-694; \
classification.text=Binary executed; \
id=682; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=succeeded; \
assessment.impact.type=file; \
assessment.impact.severity=low; \
target(0).process.name = $2; \
target(0).process.path = $1; \
target(0).process.arg(0) = $3; \
assessment.impact.description=The command: $1 was executed.; \
last
#######
#define GR_MSGQ_AUDIT_MSG "message queue created by "
#define GR_SEM_AUDIT_MSG "semaphore created by "
#
#LOG: Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: semaphore created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000
#
regex=(semaphore|message queue) created by ; \
classification.text=$1 created; \
id=685; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=succeeded; \
assessment.impact.type=file; \
assessment.impact.severity=low; \
assessment.impact.description=A $1 was created.; \
last
#######
#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
#
#LOG: Mar 22 11:25:29 sysadmin kernel: grsec: From 192.168.1.25: shared memory of size 1024 created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000
#
regex=shared memory of size (\d+) created by ; \
classification.text=Shared memory created; \
id=688; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=succeeded; \
assessment.impact.type=file; \
assessment.impact.severity=low; \
assessment.impact.description=Shared memory of size $1 was created.; \
last
#######
#define GR_MSGQR_AUDIT_MSG "message queue of uid:%d euid:%d removed by "
#define GR_SEMR_AUDIT_MSG "semaphore of uid:%d euid:%d removed by "
#define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by "
#
#LOG: Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: shared memory of uid:1000 euid:1000 removed by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000
#
regex=(message queue|semaphore|shared memory) of uid:(\d+) euid:(\d+) removed by ; \
goto=692; optgoto=693-694; \
classification.text=$1 removed; \
id=684; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).user.user_id(0).type=target-user; \
target(0).user.user_id(0).number=$2; \
target(0).user.user_id(1).type=user-privs; \
target(0).user.user_id(1).number=$3; \
assessment.impact.completion=succeeded; \
assessment.impact.severity=low; \
assessment.impact.description=A $1 was removed.; \
last
#######
#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
#
#LOG: Jan 12 19:48:15 gw kernel: grsec: denied resource overstep by requesting 495360 for RLIMIT_DATA against limit 0 by /usr/bin/valgrind.bin[valgrind.bin:29839] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31044] uid/euid:0/0 gid/egid:0/0
regex=denied resource overstep by requesting (\d+) for (\w+) against limit (\d+) by ; \
classification.text=Denied resource overstep; \
goto=692; optgoto=693-694; \
id=620; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.completion=failed; \
assessment.impact.type=other; \
assessment.impact.severity=high; \
assessment.impact.description=An attempt was denied to overstep the process limit.; \
last
#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
#*** Groupped stuff ****
##
#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
#
#LOG: Jan 11 01:51:51 gw kernel: grsec: (default:D:/) denied open of /var/log/lastlog for reading writing by /bin/login[login:27363] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful open of /root/.nano_history for writing by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0
regex=(denied|successful) (open|access) of ([^ ]+) for (.*) by ; \
goto=692; optgoto=693-695; \
classification.text=Attempted $2; \
id=603; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
target(0).file(0).path = $3; \
target(0).file(0).category = current; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
assessment.impact.description=$1 $2 of $3 for $4. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \
last
#######
#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
#
#LOG: Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful execution of /bin/blah by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: denied chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0
#
#LOG: Jan 13 15:28:40 gw kernel: grsec: successful chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0
regex=(denied|successful) (mknod|mkdir|rmdir|unlink|untrusted exec|execution|truncate|access time change|fchmod|chmod|chown|executable mmap|executable mprotect) of ([^ ]+) by ; \
goto=692; optgoto=693-695; \
classification.text=Attempted $2; \
id=610; \
revision=1; \
analyzer(0).name=grsecurity; \
analyzer(0).manufacturer=www.grsecurity.net; \
analyzer(0).class=Kernel; \
assessment.impact.type=file; \
assessment.impact.severity=high; \
target(0).file(0).path = $3; \
target(0).file(0).category = current; \
assessment.impact.description=An attempt was made to $2 the file $3. Access was $1.; \
last
|