-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grsecurity: no data - no errors #58
Comments
I have access to one server using a grsecurity enhanced kernel. Looking at the content of /proc/net/dev, I really can't see any way to identify if the lack of traffic is caused by the interface actually having seen no traffic or by some masking by kernel related changes. Therefore, producing any warnings based on that data could result in false warnings. Possibly a note to the non-root install instructions and the RESTRICTIONS section of the man page would be the correct place to include documentation related to this use scenario. |
I misunderstood the problem at first, so the previous suggestions are void. A note on the man page sounds good. What about this patch
|
I'd prefer to have some way of detecting when a grsecurity enhanced kernel is being used. That way, the logic could be to check if the user is something else than root, then check for grsecurity and if found and traffic equals zero, show the warning. The problem is, even after reading the grsecurity documentation, I haven't seen a way of detecting when grsecurity is enabled. The grsec-proc group at most indicates that the system may have had grsecurity enabled at some point. That group name may also be Debian specific as I didn't see such group name suggested by the grsecurity documentation directly. |
Maybe for now an addition to the man page is sufficient, as adding detection for a running grsecurity enhanced kernel is not (meant to be?) simple and might invoke too extensive access (e.g. when using an LSM, like SELinux). |
When using a grsecurity enhanced kernel and running vnstatd with the user vnstat, no data is collected.
Due to proc restrictions by grsec, the vnstat user must be a member of the grsec-proc group.
When this is not the case, vnstatd collects no data and produces no error or warning log messages.
Please add one for this case.
Maybe at
vnstat/src/ifinfo.c
Line 68 in 4e1b097
vnstat/src/ifinfo.c
Line 22 in 4e1b097
The text was updated successfully, but these errors were encountered: