Hacking your GoFlex Home, #3 Ideas

Well, first off the ability to just add one USB device is a little boring, I’ve been using a Belkin 4 port USB HUB, and the results are good. For cooling the GoFlex, you may want to remove the bottom cover and keep it on a laptop cooling fan or something similar, as the processor does tend to get hot slowly.

Maybe you could throw in a WiFi USB card, and turn your Goflex into a very powerful NAS, something that I’ve done is:

  • Have a DLNA/UPnP Server running, as I have it as my NAS
  • Internet Gateway
  • Torrent Station(I use transmission daemon with the Web UI)
  • FTP Server

There are way more applications of this tiny little plug computer, I’m using it for development.

Also, it’s preferably better to have Gentoo or Arch Linux on a USB stick, as when testing several times by hard power offs and resets, you don’t want the SATA drive spinning up for no reason.

Hacking your GoFlex Home, #2 UART Serial Console

Serial console? That’s beautiful when it comes to debugging. The following images are specific to the Seagate GoFlex Home, however, you may be able to figure out the connections for other Marvell SoCs.

On the board:
Notice that according to the picture, the bottom right last three pins are used.
Connections on the SoC

The junction:
I’ve used extra wires simply for convenience, the orange, yellow and black connect to these white, black and grey wires respectively.
The Junction

On the USB UART Adapter:
I’ve used a USB2.0 to RS232 TTL Converter Module PL2102(available on eBay easily)
On The USB Adapter

PIN Configuration:
On the GoFlex Home:

10 9 8 7 6
 5 4 3 2 1

1 => GND (Ground for the serial communication)
2 => RX  (Receiving bits)
3 => TX  (Transmitting bits)

Note: The RX and TX are interchanged at one end, this is because the RX of the GoFlex becomes the TX of the USB adapter, and vice cersa.

After you connect the USB end to your desktop/laptop, you can use screen to display the serial console:

# screen /dev/ttyUSB0 115200

The serial console is especially useful for debugging the kernel boot and setting the u-boot environment.

Hacking your GoFlex Home, #1 Build your KERNEL

It’s been quite sometime that I’ve got my GoFlex Home now, and it’s only recently that I’ve received my RS232 Serial USB UART Adapter.
The pin connections are simple and easy, I’ll post that as well. As I’ve already got Gentoo Linux running on the Marvell SoC, I was still using the Archlinux ARM kernel, for lack of better options. Building the kernel seemed to be a simple task, but apparently, if you have used the Archlinux ARM kernel config as a base to build your own, you won’t see the kernel debug messages, you only see the warnings, and those are few.

To get going:
Download the kernel sources, I’ve got a successful build with vanilla sources(patched with archlinuxarm patches) 3.1.10
After patching the kernel, you can quickly generate the default config, by

# make kirkwood_defconfig

That would generate the default configuration, then you could configure it via menuconfig, and set the required options.
I’ve attached my present kernel configuration, you could use that as a base, as it took me quite a while to get the kernel working right. This kernel does not support an initrd, as I don’t think embedded devices should need one. So, if your kernel says that it can’t mount the VFS, it’s likely that your U-boot is giving it an initrd to use, and that surprisingly, took me quite a while to figure out.

Goodluck hacking your GoFlex :)

recursive get from an FTP server

As we all know, downloading a directory from an FTP server over FTP over the command line is not possible. Some, have found mget to be the holy grail, I certainly do not.

I was restoring my music backup from my NAS, and I didn’t want to do it the GUI way, so CLI is the other, obvious option.

Trying to do a recursive fetch using the FTP prompt, did not work whatsoever.

Here is the better solution: recursive wget.

$ wget -r -l 0 ftp://user:password@server/directory

wget will now recursively fetch that entire directory.

Note: In some cases, you would need to pass the –username and –password arguments to wget.

Evidently, SEED is just a kid in the corporate world

Despite several efforts to contact SEED Infotech regarding their mishap for the past two days, they do not respond. E-mails, twitter updates, facebook posts being deleted from their end, says everything: SEED Infotech is lazy. They cannot afford to sponsor an event such as this one. What’s more, today’s challenge makes no sense whatsoever! SEED tried to put up a memorial contest to pay their respects to Dennis Richie, the creator of the C. They called it a “mega-event in January“, I call it a “mega-flop in January“.

The day they came to The Wilson College, they seemed to be disorganized. They didn’t seem to know what they were doing themselves.

SEED has put down the level of computing. SEED has brought their level from zero to nil, well, to top it all off, they had an insane web programmer, who didn’t know what he was doing. Notice the actual link of the page, followed by what it’s supposed to be:


Clearly, they do not have the potential to host such an event, and must be never allowed to.

They haven’t even once shown a sign of improvement, answers incorrect, questions incorrect, what more is there to it? This proves SEED’s incompetence in hosting an event, which surprising should be pretty easy enough to pull off correctly.

Last but not the least, @SEEDInfotech, your just a kid in the corporate world. Congratulations on winning this title.

As Francis Pereira says, “good talent is always hard to find“, and SEED does not have such talent.

SEED hits the pit again #iknowvention

SEED continues to make mistakes.

So is today’s challenge:

int main(int argc, char *argv[])
 return 0;

The answer for the above is 0, as the fourth element in the array “seed” does not exist. This is because of the index value, which starts from 0. Had it been 3, then it would print out the character code for d, and that would be the right answer.
However, none of the options had the value 0, they had some other values.

@SEEDInfotech, why make such obvious mistakes on your side? Didn’t you already learn from my last post? There simply is no room for such mistakes!
Isn’t there any moderator smart enough in your company?

@SEEDInfotech #iknowvention

SEED makes Blunder! #iknowvention

Alright, so I’m taking part in this SEED Infotech C programming contest, and here’s one of yesterday’s challenges:

 if(printf("C for yourself how it works \n");

One of the options were
a) C for yourself how it works infinate times

Now isn’t that catchy? Look at it clearly, there’s one pair of brackets missing!

@SEEDInfotech, how did you choose that as the right answer?

Hit http://seed-iknowvention.com/PlayIKnowVation.aspx, and then click on previous level’s correct answer.

Import your Nokia S40 Contacts to Google or the like

Nokia S40 phones’ can’t sync with Google or any other good online web services. So if you wanted to export your contacts from your phone and import them into your GMail contacts/other contact management, how would you accomplish this?

It’s a little complicated, but easy once you do it for the first time.

From your Nokia S40 phone:
Take a backup of only your contacts, and transfer this backup file to your computer, running GNU/Linux(if anyone can replicate this process on Windows, drop a comment).

On your desktop:
The NBF file is a simple zipped file. Unzip this zip file, and navigate your way to the contacts folder:

$ unzip Backup000.NBF
$ cd predefhiddenfolder/backup/WIP/32/contacts/

If the above specified path does not exist, then look for the directory contacts in the extracted directory.
The contacts are stored in the most popular vcard format, all the contacts you have are in a separate vcard for each contact. Let’s combine all of these into one single vcard file:

$ cat *.vcf > ~/Desktop/phone-contacts.vcf

Now you can import this file into any contact management application that supports the vcard format.

For GMail:
Navigate to Contacts(it’s located a the top left corner), then under More actions, click on Import. Choose the newly created combined vcard file(located on your desktop) and click on Import.

To clean up things, in the Contacts view in GMail, again select More actions, and click on Find & merge duplicates…, this will ensure that you don’t have duplicate contacts, and clean up your contacts as well.

If someone accomplishes this in Windows, please leave a comment on doing so.

Resetting a User’s Home Permissions

Recently I managed to mess up my home permissions, to the extent that I owned the files, but couldn’t read them.

Fixing an entire user’s home directory permissions is simple and easy.

# chown user:user -R /home/user/
# chmod -R u+rwX /home/user/


liferea and gmail

I bet that mail client of yours just lies there doing nothing, when its sole purpose is to inform you the minute you get a new e-mail. Well, that client just takes up more memory, to just do that, doesn’t it? What if you could just check new mail via an RSS feed?

liferea to the rescue! It’s a simple, easy, and powerful RSS client, which can manage many feeds and provides notification via libnotify. Setting up gmail as a new feed is very easy. Follow your distribution specific install guide here.
Launch liferea from the menu, and click on “New Subscription”. The Feed Source for gmail’s RSS feed to your inbox is https://mail.google.com/mail/feed/atom. Click on OK, then a little while later, it will ask for your login credentials.

Username: example
Password: ******

Do not include @gmail.com. And your all set to receive mail updates. Look in the Tools -> Preferences to tune liferea.
You can also add your facebook notifications feed as well.

comparison sheet | plug computers

A lot of these plug computers are in the market. Which one is right for you? Here’s a comparison sheet to help you decide which one should you be looking for:

Plug Computer Processor Memory JTAG WiFi Network USB SATA Price
Ionics Cumulus KW 1.2Ghz 512MB NAND, 512MB DDR2 Yes Yes 1 Ethernet 1 2
Seagate Dockstar KW 1.2Ghz 256MB NAND, 128MB RAM Make One No 1 Ethernet 3 0 $30
Pogo Plug Pro No Yes 1 Ethernet 4 0 $99
Open RD Client Sheeva 1.2Ghz 512MB NAND, 512MB DDR2 Yes No 2 Ports 7 2 $250
Beagle Board TI 600Mhz 256MB NAND, 128MB RAM Yes No 1 Ethernet 1 0 $150
Guru Plug KW 1.2Ghz Yes No 2 Ports 2 1 $99
Guru Plug Server KW 1.2Ghz 512MB NAND, 512MB DDR2 Yes 2 Ports 3 1 $129
Marvell Sheeva Plug KW 1.2Ghz 512MB NAND, 512MB DDR2 Yes No 1 Ethernet 1 0 $99

If anyone can fill in the missing values, please leave a comment

rsyslog: readable time stamps

As of the recent change in time stamps in rsyslog, you have the following time stamp in your logs:

Now isn’t that hard and complicated?
Seriously, who wants a high precision time stamp? Here’s how you quickly change it to a much more readable and simpler one. Add the following code to the beginning of /etc/rsyslog.conf

# Traditional Output Method
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate TraditionalFormat

Restart rsyslog. This is what you will get:
Jun 5 00:22:58

playing with grsecurity | a brief tutorial

This howto is intended for those looking for better means to secure the Linux kernel, and the userland by the means of a powerful and simple role based access control policy.


  1. What is grsecurity?
  2. Setting up grsecurity + gentoo in a VM
  3. The real thing: Grsecurity
    1. Getting familiar with gradm
    2. Generating the policy
    3. Fixing the errors
    4. Roles, subjects and objects
    5. The include directive
    6. Best Practices for /etc/grsec/policy
  4. Filtering grsecurity logs with rsyslog

What is grsecurity?

grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in web servers and systems that accept remote connections from untrusted locations, such as systems offering shell access to its users.

Extensive information about grsecurity can be found from the following links:

This tutorial briefly gives you an introduction on using grsecurity. The grsecurity wikibook is written by the creator(Bradley Spengler) of the subject in discussion.

Setting up grsecurity + gentoo in a VM

To test grsecurity’s features, we’ll setup gentoo hardened in a virtual machine using QEMU. Let’s get QEMU installed.

  • Redhat: yum install qemu qemu-img
  • Debian: aptitude install kvm
  • Gentoo: emerge -av qemu-kvm with the following use flags: aio hardened jpeg ncurses png qemu_softmmu_targets_arm qemu_softmmu_targets_i386 qemu_softmmu_targets_x86_64 qemu_user_targets_x86_64 ssl

Create a raw image and set it up:

# qemu-img create -f raw grsec.gentoo.img 2G
# fdisk grsec.gentoo.img
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xe2c8c9c9.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
Partition number (1-4, default 1): 1
First sector (2048-4194303, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-4194303, default 4194303):
Using default value 4194303

Command (m for help): a
Partition number (1-4): 1

Command (m for help): p

Disk grsec.gentoo.img: 2147 MB, 2147483648 bytes
255 heads, 63 sectors/track, 261 cylinders, total 4194304 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xe2c8c9c9

	   Device Boot      Start         End      Blocks   Id  System
grsec.gentoo.img1   *        2048     4194303     2096128   83  Linux

Command (m for help): w
The partition table has been altered!

Syncing disks.
# losetup -v -o $((512*2048)) -f grsec.gentoo.img
Loop device is /dev/loop0
# mkfs.ext4 -L "grsec.gentoo" /dev/loop0
# mkdir grsec.gentoo-rootfs
# mount /dev/loop0 grsec.gentoo-rootfs

Now download the hardened gentoo stage3. Follow the chapters 5 to 10, of the handbook keeping in mind the following set of instructions (gentoo x86_64 handbook):

  • Select the profile “hardened/linux/amd64”
  • For networking, choose the DHCP method. We’ll discuss how to create custom rules for ssh.
  • When doing anything related to GRUB, see below
  • Install the kernel source: =sys-kernel/hardened-sources-2.6.38 and =sys-apps/gradm- . If necessary, unmask them.
  • The extra packages that I installed are dhcp openssh eix pciutils vim gentoolkit rsyslog vixie-cron grub =sys-kernel/hardened-sources-2.6.38 =sys-apps/gradm-
  • Kernel config for the QEMU envionment is listed as follows.

Kernel configuration for the environment(only essentials):

-> Processor type and features
  -> Processor family
    -> Core 2/newer Xeon (set this to your host CPU)

-> Device Drivers
   -> Serial ATA and Parallel ATA drivers
     -> ATA SFF support
       -> ATA BMDMA support
         -> Intel ESB, ICH, PIIX3, PIIX4 PATA/SATA support

-> Device Drivers
  -> Network device support
    -> Ethernet (10 or 100Mbit)
      -> RealTek RTL-8129/8130/8139 PCI Fast Ethernet Adapter support

-> File systems
  -> The Extended 4 (ext4) filesystem
    -> Use ext4 for ext2/ext3 file systems

-> Security options
  -> Grsecurity
    -> Grsecurity
      -> Security Level
        -> Hardened Gentoo [virtualization]
    -> Filesystem Protections
      -> Restrict /proc to user only
  -> Restrict unprivileged access to the kernel syslog

That’s all that’s essential, go ahead and drop extra things that just make the kernel fat. Make sure you disable Paravirtualized guest support under Processor type and features in any case. Enabling that causes the system to not boot.

GRUB menu entry:

title gentoo hardened
root (hd0,0)
kernel /boot/vmlinuz-2.6.38-hardened root=/dev/sda1

Exit the chroot. Unmount the filesystem, and prepare it for booting. DO NOT unmount anything yet.

# losetup -v -f grsec.gentoo.img
Loop device is /dev/loop1
# echo "(hd0) /dev/loop1" > /tmp/device.map
# grub --device-map=/dev/null
    GNU GRUB  version 0.97  (640K lower / 9216K upper memory)

     [ Minimal BASH-like line editing is supported.  For the first word, TAB
       lists possible command completions.  Anywhere else TAB lists the possible
       completions of a device/filename. ]

grub> device (hd0) /dev/loop1

grub> root (hd0,0)
Filesystem type is ext2fs, partition type 0x83

grub> setup --stage2=/path/to/grsec.gentoo-rootfs/boot/grub/stage2
 Checking if "/boot/grub/stage1" exists... yes
 Checking if "/boot/grub/stage2" exists... yes
 Checking if "/boot/grub/e2fs_stage1_5" exists... yes
 Running "embed /boot/grub/e2fs_stage1_5 (hd0)"...  18 sectors are embedded.
 Running "install --stage2=/path/to/grsec.gentoo-rootfs/boot/grub/stage2 /boot/grub/stage1 (hd0)
  (hd0)1+18 p (hd0,0)/boot/grub/stage2 /boot/grub/menu.lst"... succeeded

grub> quit

Now startup the virtual machine.

$ qemu-kvm -cpu qemu64 -smp 2 -m 384M -hda grsec.gentoo.img -curses \
-net user -net nic,model=rtl8139 -redir tcp:8022::22

This should bring up an ncurses based UI to the VM.

The real thing: Grsecurity

If you’ve noticed from the kernel configuration, you’ve set restrict /proc to user only. Create a user unauth login to it. top will show you only the processes owned by that user. ls /proc will confirm that. Further dmeg will tell you Operation not permitted. These are just a few basic security enhancements. You can go ahead and set the custom profile in the kernel config and setup the system as you like. For now, we’ll discuss the RBAC system of grsecurity.

Getting familiar with the RBAC system of grsecurity: gradm

gradm is a tool to enable, disable, and control the RBAC system of grsecurity. It is a very powerful tool. Let’s start from the beginning, setting passwords, and enabling the full learning process.
Use gradm -P to set the master password. This is used to disable and reload the RBAC mechanism. gradm -P to set the password of any user role defined in the policy file.

# gradm -P
Setting up grsecurity RBAC password
Re-enter Password:
Password written to /etc/grsec/pw.
# gradm -P admin
Setting up password for role admin
Re-enter Password:
Password written to /etc/grsec/pw.
# gradm -P shutdown
Setting up password for role shutdown
Re-enter Password:
Password written to /etc/grsec/pw.

Full system learning:

grsecurity has a feature called learning. In the beginning you can enable the full learning process, where grlearn will log all your actions. Any actions that you do not want other users access to, must be done by logging into the RBAC system. To enable full system learning, we do the following, create a new file /etc/local.d/gradm.start with the following contents:

/sbin/gradm -FL /grlearn.log

Make sure you make the file executable, by chmod +x /etc/local.d/gradm.start
On your next boot, it will automatically start. Add the service sshd and rsyslog to start by default and reboot:

# rc-update add sshd default
# rc-upadte add rsyslog boot
# reboot

Now you can ssh into the machine, by:

$ ssh root@localhost -p 8022

Do something, and then check the logs, ssh into the VM from another terminal and tail -f /grlearn.log
You’ll see many entries when you so some specific resource actions. Example, uptime, wget. Lots of entries are generated. System packages need only to be installed under the role of admin. So login to role admin, and install a package. Restarting the sshd service is a good idea too.

# gradm -a admin
# emerge -avuDN vim

Notice that nothing is logged in the grlearn.log file. To logout of that role, simply do a gradm -u

Generating the policy

Once the full learning process is done, or rather you’ve done everything that you don’t want access to in the user role admin, its time to generate the policy. For desktop users, you may want to run the full learning process for a day or two. First disable it, then generate the policy and append it to the default policy.

# gradm -FL /grlearn.log -O /etc/grsec/flearn.policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user sshd...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /etc/init.d...done.
Beginning full learning object reduction for subject /sbin/rc...done.
Beginning full learning object reduction for subject /usr/bin/wget...done.
Beginning full learning object reduction for subject /usr/sbin/sshd...done.
Full learning complete.
# cat /etc/grsec/flearn.policy >> /etc/grsec/policy

Fixing the errors:

If you simply do gradm -E, it wouldn’t work. Let’s look at the errors and fix them

# gradm -E
Duplicate object found for "/lib64" in role shutdown, subject /, on line 257 of /etc/grsec/policy.
"/lib64" references the same object as the following object(s):
/lib (due to symlinking/hardlinking)
/lib64 (due to symlinking/hardlinking)
specified on an earlier line.  The RBAC system will not load until this error is fixed.

Open the policy file with your favorite editor, and go to that line. Then comment that line out, as its already protected because it’s a symlink to somewhere else. Check the policy file for errors again, do gradm -C. Another error, great! Yes, just comment out all those lines, they’re the same reference. Then at last you’ll come to the good error:

# gradm -C
Duplicate role admin on line 463 of /etc/grsec/policy.
The RBAC system will not be allowed to be enabled until this error is fixed.

This duplicate is because the default policy which is put in place by installing gradm, contains an admin role already. So go to those lines and comment them.

#role admin sA
#subject / rvka
#       / rwcdmlxi

If you see an error like the following, then you have to add the variable $grsec_denied to that particular role.

# gradm -C
Viewing access is allowed by role root to /proc/kcore [...]

Reading access is allowed by role root to /proc/slabinfo [...]

Reading access is allowed by role root to /proc/modules [...]

Reading access is allowed by role root to /proc/kallsyms [...]

There were 4 holes found in your RBAC configuration.  These must be fixed before the RBAC system will b
e allowed to be enabled.

I’ll explain roles, subjects, objects and modes later further down in this tutorial. For now, search for the string “role root” in the policy file, and follow downwards from there, untill you come to -CAP_ALL, add $grsec_denied just before that.
Now the grsecurity RBAC system is ready to be loaded, once gradm -C reports no errors with the policy file. Enable it then, and see if it’s working

# gradm -E

Now in the syslog you should see this:
2011-05-21T05:11:15.536086+00:00 localhost kernel: [ 3070.796712] grsec: From (root:U:/sbin/gradm) grsecurity 2.2.2 RBAC system loaded by /sbin/gradm[gradm:1767] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1542] uid/euid:0/0 gid/egid:0/0

# ls /etc/grsec
ls: cannot access /etc/grsec: No such file or directory

Viola! The RBAC system is running flawlessly!
Now if you ssh into the system, it will fail. Take a look at the logs(/var/log/messages):

2011-05-24T03:15:08.836286+00:00 localhost kernel: [ 2011.183591] grsec: From (root:U:/) denied open of /proc/1677/oom_score_adj for writing by /usr/sbin/sshd[sshd:1677] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1527] uid/euid:0/0 gid/egid:0/0
2011-05-24T03:15:08.836320+00:00 localhost kernel: [ 2011.183822] grsec: From (root:U:/) denied access to hidden file /usr/sbin/sshd by /usr/sbin/sshd[sshd:1677] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1527] uid/euid:0/0 gid/egid:0/0
2011-05-24T03:15:08.837263+00:00 localhost kernel: [ 2011.184485] grsec: From (root:U:/) denied connect() to the unix domain socket /dev/log by /usr/sbin/sshd[sshd:1677] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1527] uid/euid:0/0 gid/egid:0/0
2011-05-24T03:15:08.857339+00:00 localhost kernel: [ 2011.204857] grsec: From (root:U:/) denied connect() to the unix domain socket /dev/log by /usr/sbin/sshd[sshd:1677] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1527] uid/euid:0/0 gid/egid:0/0
2011-05-24T03:15:08.860352+00:00 localhost kernel: [ 2011.207771] grsec: From (root:U:/) use of CAP_SYS_CHROOT denied for /usr/sbin/sshd[sshd:1678] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1677] uid/euid:0/0 gid/egid:0/0

The text in bold indicates that that particular user is denying access to that particular resource. Login to the admin role(gradm -a admin), and search for the string “role root”, then “subject /usr/sbin/sshd”. Add the following entries in the right places(stick to the alphabetical order, its easier to read):

        /proc/*/oom_score_adj      rw
        /usr/sbin/sshd                  rx
        /var/empty                      r

Reload the RBAC system, you should be able to ssh now. There are still a few errors in the logs. You can simply add the two following lines to fix them.

        /var/log/tallylog           rw
        /proc/*/loginuid           rw

This should fix everything that ssh needs access to.

Roles, subjects and objects

The structure takes the following pattern:

role <user> u
<user attributes>

subject <app/binary> o
    <object>                <mode>

subject <app/binary> <mode(s)>
    <object>                <mode>

The letter ‘u’ follows the username mentioned to indicate that it is a user. ‘g’ can be used for groups. Attributes include transitions, ip_allow, etc. A complete detail of this is found on the grsecurity wikibook.

Subjects have members called objects to define what access does the subject in question have. There are various modes here too. The ‘o’ in the first subject is to make sure inheritance is not followed from the default policy or user policy.

The include directive

Once your familiar with the policy file, reinstall the default one, and use the include directive in the main policy file to include a certain directory containing policies for different users/subjects etc.

A reasonable structure would be to have:


To learn the actions of a new user, you can have the following in the main policy file(at the end of it):

role jude ul

Then start the learn process with gradm -L /etc/grsec/policy.d/jude/learning.logs -E. Generate the policy from the logs, and place the policy as basic.policy in the policy directory. Once your done with that, delete the line you’ve added for the learn and replace it with:

include </etc/grsec/policy.d/user1/policy>


Best Practices for /etc/grsec/policy

  • Make the policy as restrictive as possible, there are many features that haven’t been touched in this tutorial, read the grsecurity wikibook for a complete hands on grsecurity.
  • Keep things simple, keep to the alphabetic order.
  • Create a policy and directory structure the way your comfortable with.
  • In the beginning of the policy file, there are lot of details about the present RBAC system, read them.

Filtering grsecurity logs with rsyslog

If your using rsyslog, you may want to filter out the grsecurity messages. Append the following lines to /etc/rsyslog.conf, and restart rsyslog

# grsec logs
:msg, contains, "grsec" /var/log/grsecurity.log
:msg, contains, "grsec" ~

If you encounter any problems whilst following this tutorial, feel free to comment