# kernel panic not anymore logged as it used to be

## miroR

Originally I tried to post a very short digression, in my topic:

A Firewalled Internet Access to Internal Subnet

https://forums.gentoo.org/viewtopic-t-1041028.html#7897958

, and I started like this:

Skip this if you don't have time and are only interested in the bridge and firewall for a case like mine. This post only touches upon it because what I briefly describe here happened because I tried to familiarize more with the necessary tools...

(Chenging this a few minutes later, and opening a new topic, and not making adigression there.)

This happened when I tried to familiarize more with the necessary tools, and after "man ip", I tried:

```

# ip monitor all

```

And in another terminal I simply tried:

```

# ping 192.168.1.1

```

And right there and then the system froze, and the, I think it's NumLock or CapsLock or sum such on the top right side of the keyboard started flashing.

Obviously, the kernel panicked.

However, nothing anymore whatsoever in tho logs, as it used to be....

It used to be.... Have a look at:

grsec: halting the system due to suspicious kernel crash

http://forums.grsecurity.net/viewtopic.php?f=3&t=3709

where find transcriptions and pictures of the panic posted by me and also the use-after-free bug in action confirmed by spender.

```

Mar 27 09:13:39 g0n kernel: [51920.101120] grsec: (admin:S:/) exec of /bin/ip (ip -a route show ) by /bin/ip[bash:3775] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0

Mar 27 09:13:44 g0n kernel: [51924.953681] grsec: (admin:S:/) exec of /bin/ip (ip route show ) by /bin/ip[bash:3776] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0

Mar 27 09:13:53 g0n kernel: [51934.051701] grsec: (admin:S:/) exec of /bin/ip (ip route monitor ) by /bin/ip[bash:3777] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0

Mar 27 09:14:18 g0n kernel: [51959.880329] grsec: (admin:S:/) exec of /bin/ip (ip monitor ) by /bin/ip[bash:3778] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0

Mar 27 09:16:37 g0n syslog-ng[2338]: syslog-ng starting up; version='3.4.8'

Mar 27 09:16:37  kernel: [    0.000000] Linux version 4.4.4-hardened-160326 (root@g0n) (gcc version 5.3.0 (Gentoo Hardened 5.3.0 p1.0, pie-0.6.5) ) #4 SMP PREEMPT Sat Mar 26 17:33:25 CET 2016

Mar 27 09:16:37 g0n kernel: [    0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.4.4-hardened-160326 root=/dev/sda3 ro

Mar 27 09:16:37 g0n kernel: [    0.000000] tseg: 00df800000

Mar 27 09:16:37 g0n kernel: [    0.000000] x86/fpu: Legacy x87 FPU detected.

Mar 27 09:16:37 g0n kernel: [    0.000000] x86/fpu: Using 'lazy' FPU context switches.

Mar 27 09:16:37 g0n kernel: [    0.000000] e820: BIOS-provided physical RAM map:

Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable

Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved

Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved

Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000de1f3fff] usable

Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x00000000de1f4000-0x00000000de4f2fff] reserved

Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x00000000de4f3000-0x00000000de8ddfff] ACPI NVS

```

So, the panic can not be caught anymore, it's hidden, prevented from being logged... Looks intentional to me, like the things that you can read from my signature.

Just pls. let me tell you upfront, that I am consumed by the task in that other topic linked at the top. I might be slow to reply here.

----------

## miroR

title: kernel panic not anymore logged as it used to be

---

 first posted on kernel panic not anymore logged as it used to be, formatted for phpBB

To follow here, download:

http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/dLo.sh

and run it to download the rest of files from cap-160327-nft/ .

There is also the yesterday morning's freeze dumpcap and corresponding messages lines:

dump_160327_0902_g0n.pcap

dump_160327_0902_g0n.messages

The system froze again (but I think I know what it may be, in was in the post for me, but I had been all over, and kept forgetting about it; later below I tell all).

First I checked carefully if there was no login information of mine in:

dump_160327_1916_g0n.pcap

and where it froze, can be seen in the excerpt from my /var/log/messages:

dump_160327_1916_g0n.messages

How did I check if there wasn't any login info in the PCAP? By mere rolling the entire PCAP in Wireshark? Would take really long. No. I used the script tshark-http-uri.sh and after I ran it, I grep'ed the extracted text files for string 'login' and looked up those frame numbers in the PCAP.

Then I tried to find in the PCAP a possible reason for the freeze of the system. Entering in the filter link:

ip.src == 216.58.214.234 || (ip.src == 77.238.163.222) || (ip.dst == 64.233.184.95) || (ip.dst == 68.232.35.121) || (ip.dst == 54.239.158.19)

didn't help (but I'm not an expert at all). (The mornings freeze will tell even less. There was no connecting to the internet at all.)

This is also significant. You get it when you open to read the file in Wireshark, or with tshark.

```

tshark: The file "dump_160327_1916_g0n.pcap" appears to be damaged or corrupt.

(pcapng_read_unknown_block: total block length 0 of an unknown block type is less than the minimum block size 12)

```

But I'm afraid not even people from Netfilter could help. Because I didn't have the debugging of netfiler on (I remember vaguely seeing it in the kernel config, and I remember how some wrote somewhere it wasn't safe, and how people from Netfilter took care to point out, somewhere in their docs, that it was safe... Vaguely, sorry, working all over...).

And so it'll probably remain mistery not solved for me.

Because I figured out it probably was just:

the code that I set up my Nftables with, the one from Archlinux (pls see that other topic: A Firewalled Internet Access to Internal Subnet for this discussion about nft code files, was just an example... I should have reverted, and I did before I went on to post this, to the Nftables Gentoo Wiki Typical Workstation example instead.

If you look up, there's e.g. the bootpc in that code. Completely no point using it in my system, I don't boot this machine from elsewhere on the network  :Wink:  ...

I wanted to tell more about what happened, as much as I could.

But why no panic recorded in the logs? I really have no idea. Everything all of sudden quit working. Total freeze...

And since it happened the two times (or even one more other time, but I didn't look up carefully back then) only after I 'nft -f <that example file>' in... And if it does not occur again, now that I reverted to Gentoo's Workstation example, I guess my assumption will stand.

Regards!

--

Ah, I forgot. Let me see...

```

$ grep ssl.keylog_file ~/.wireshark/preferences 

ssl.keylog_file: /home/miro/.sslkey.log

$ 

```

 ... If you want to see the traffic on the evening dumpcap, even if don't have your machine configured as per:

Secure Socket Layer (SSL)

https://wiki.wireshark.org/SSL

you can do it with:

```

$ wireshark -o "ssl.keylog_file: dump_160327_1916_g0n_SSLKEYLOGFILE.log" dump_160327_1916_g0n.pcap

```

----------

