Hi,
I'm trying to get grsec (kernel 2.4.21, grsec-2rc1) running for quite a few days by now.
Starting with the basepolicy delivered by gradm2 I added below the base poliy (/):
/usr/bin/ssh-keygen lo {
/ h
-CAP_ALL
connect {
disabled
}
bind {
disabled
}
Running gradm2 -E reports problems with 'disa' so if's commented connect and bind.
After that enabling the policy is ok. So I run ssh-keygen.
I hoped to get lots of learning messages in syslog (*.debug is setup in syslog.conf) but gradm -L /var/log/messages -O /tmp/myacl doesn't return anything.
Any help on that point?
learning mode - as well
8 posts
• Page 1 of 1
learning mode - as well
by Egonle » Tue Jul 15, 2003 8:55 am
- Egonle
- Posts: 2
- Joined: Tue Jul 15, 2003 7:34 am
by spender » Tue Jul 15, 2003 10:29 am
You're trying to use a 1.9.x style configuration with a 2.x configuration. It simply won't work. Look at the example provided in the default ACL. Among the changes it notes:
"subject" must always appear before a subject ACL
connect and bind are now specified one line at a time
-Brad
"subject" must always appear before a subject ACL
connect and bind are now specified one line at a time
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by Egonle » Wed Jul 16, 2003 4:08 am
Well,
IMHO the changes aren't really obviously. I've looked at different acl (gentoo, debian,...) but these seem to be 1.x acls in this case. The default acl coming with gradm2 uses subject but I didn't think that this is a must.
-
IMHO the changes aren't really obviously. I've looked at different acl (gentoo, debian,...) but these seem to be 1.x acls in this case. The default acl coming with gradm2 uses subject but I didn't think that this is a must.
-
- Egonle
- Posts: 2
- Joined: Tue Jul 15, 2003 7:34 am
by Egonle » Tue Jul 22, 2003 6:54 am
I've setup my acl files with subject lines so that should be ok.
That's my base file:
role admin sA
subject /
/ rwcdmxi
role default G
role_transitions admin
subject / ol {
/ h
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
-CAP_ALL
connect disabled
bind disabled
}
subject /usr/sbin/sshd ol {
/ h
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
-CAP_ALL
connect disabled
bind disabled
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE DEFAULT ROLE ###
subject /bin/login ol {
/ h
/bin h
/bin/bash x
/bin/login x
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc h
/usr h
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/var rw
/var/log/wtmp w
/var/run
/var/run/console
/var/run/console/josel rwc
/var/run/console.lock rwc
/var/run/utmp rw
/dev
/dev/console rw
/dev/fd0 w
/dev/fd0CompaQ w
/dev/fd0D360 w
/dev/fd0D720 w
/dev/fd0H1440 w
/dev/fd0H360 w
/dev/fd0H720 w
/dev/fd0d360 w
/dev/fd0h1200 w
/dev/fd0h1440 w
/dev/fd0h1476 w
/dev/fd0h1494 w
/dev/fd0h1660 w
/dev/fd0h360 w
/dev/fd0h410 w
/dev/fd0h420 w
/dev/fd0h720 w
/dev/log rw
/dev/radio0 w
/dev/radio1 w
/dev/radio2 w
/dev/radio3 w
/dev/tty2 rw
/dev/tty4 rw
/dev/video0 w
/dev/video1 w
/dev/video1394 w
/dev/video2 w
/dev/video3 w
/dev/vtx w
/dev/winradio0 w
/dev/winradio1 w
/dev/winradio2 w
/dev/winradio3 w
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/mnt
/root
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
After starting learning mode and running the system for some time I started building an acl off the logs. That's the result:
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE DEFAULT ROLE ###
subject / o {
/
/sbin rx
/bin x
/dev
/dev/console rw
/dev/fd0 w
/dev/fd0CompaQ w
/dev/fd0D360 w
/dev/fd0D720 w
/dev/fd0H1440 w
/dev/fd0H360 w
/dev/fd0H720 w
/dev/fd0d360 w
/dev/fd0h1200 w
/dev/fd0h1440 w
/dev/fd0h1476 w
/dev/fd0h1494 w
/dev/fd0h1660 w
/dev/fd0h360 w
/dev/fd0h410 w
/dev/fd0h420 w
/dev/fd0h720 w
/dev/kmem h
/dev/log rw
/dev/mem h
/dev/null rw
/dev/port h
/dev/radio0 w
/dev/radio1 w
/dev/radio2 w
/dev/radio3 w
/dev/tty rw
/dev/tty2 rw
/dev/tty4 rw
/dev/urandom r
/dev/video0 w
/dev/video1 w
/dev/video1394 w
/dev/video2 w
/dev/video3 w
/dev/vtx w
/dev/winradio0 w
/dev/winradio1 w
/dev/winradio2 w
/dev/winradio3 w
/dev/grsec h
/etc rxwcd
/etc/grsec h
/etc/ssh h
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/usr rx
/var rwc
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_IPC_LOCK
+CAP_SYS_MODULE
+CAP_SYS_TTY_CONFIG
RES_FSIZE 0 0
RES_DATA 0 0
RES_STACK 0 0
RES_RSS 0 0
RES_NPROC 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_AS 0 0
RES_LOCKS 0 0
bind 0.0.0.0/32:22 stream tcp
connect disabled
}
subject /usr/sbin/sshd o {
/ h
/usr/sbin/sshd x
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_STACK 0 0
RES_RSS 0 0
RES_NPROC 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_AS 0 0
RES_LOCKS 0 0
bind disabled
connect disabled
}
What I don't understand is why sshd doesn't get the real stuff like CONNECT and BIND entries. Why are those entries built on subject /?
Regards,
Josef
That's my base file:
role admin sA
subject /
/ rwcdmxi
role default G
role_transitions admin
subject / ol {
/ h
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
-CAP_ALL
connect disabled
bind disabled
}
subject /usr/sbin/sshd ol {
/ h
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
-CAP_ALL
connect disabled
bind disabled
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE DEFAULT ROLE ###
subject /bin/login ol {
/ h
/bin h
/bin/bash x
/bin/login x
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc h
/usr h
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/var rw
/var/log/wtmp w
/var/run
/var/run/console
/var/run/console/josel rwc
/var/run/console.lock rwc
/var/run/utmp rw
/dev
/dev/console rw
/dev/fd0 w
/dev/fd0CompaQ w
/dev/fd0D360 w
/dev/fd0D720 w
/dev/fd0H1440 w
/dev/fd0H360 w
/dev/fd0H720 w
/dev/fd0d360 w
/dev/fd0h1200 w
/dev/fd0h1440 w
/dev/fd0h1476 w
/dev/fd0h1494 w
/dev/fd0h1660 w
/dev/fd0h360 w
/dev/fd0h410 w
/dev/fd0h420 w
/dev/fd0h720 w
/dev/log rw
/dev/radio0 w
/dev/radio1 w
/dev/radio2 w
/dev/radio3 w
/dev/tty2 rw
/dev/tty4 rw
/dev/video0 w
/dev/video1 w
/dev/video1394 w
/dev/video2 w
/dev/video3 w
/dev/vtx w
/dev/winradio0 w
/dev/winradio1 w
/dev/winradio2 w
/dev/winradio3 w
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/mnt
/root
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
After starting learning mode and running the system for some time I started building an acl off the logs. That's the result:
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE DEFAULT ROLE ###
subject / o {
/
/sbin rx
/bin x
/dev
/dev/console rw
/dev/fd0 w
/dev/fd0CompaQ w
/dev/fd0D360 w
/dev/fd0D720 w
/dev/fd0H1440 w
/dev/fd0H360 w
/dev/fd0H720 w
/dev/fd0d360 w
/dev/fd0h1200 w
/dev/fd0h1440 w
/dev/fd0h1476 w
/dev/fd0h1494 w
/dev/fd0h1660 w
/dev/fd0h360 w
/dev/fd0h410 w
/dev/fd0h420 w
/dev/fd0h720 w
/dev/kmem h
/dev/log rw
/dev/mem h
/dev/null rw
/dev/port h
/dev/radio0 w
/dev/radio1 w
/dev/radio2 w
/dev/radio3 w
/dev/tty rw
/dev/tty2 rw
/dev/tty4 rw
/dev/urandom r
/dev/video0 w
/dev/video1 w
/dev/video1394 w
/dev/video2 w
/dev/video3 w
/dev/vtx w
/dev/winradio0 w
/dev/winradio1 w
/dev/winradio2 w
/dev/winradio3 w
/dev/grsec h
/etc rxwcd
/etc/grsec h
/etc/ssh h
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/usr rx
/var rwc
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_IPC_LOCK
+CAP_SYS_MODULE
+CAP_SYS_TTY_CONFIG
RES_FSIZE 0 0
RES_DATA 0 0
RES_STACK 0 0
RES_RSS 0 0
RES_NPROC 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_AS 0 0
RES_LOCKS 0 0
bind 0.0.0.0/32:22 stream tcp
connect disabled
}
subject /usr/sbin/sshd o {
/ h
/usr/sbin/sshd x
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_STACK 0 0
RES_RSS 0 0
RES_NPROC 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_AS 0 0
RES_LOCKS 0 0
bind disabled
connect disabled
}
What I don't understand is why sshd doesn't get the real stuff like CONNECT and BIND entries. Why are those entries built on subject /?
Regards,
Josef
- Egonle
- Posts: 2
- Joined: Tue Jul 15, 2003 7:34 am
Upgrade to rc2
by Egonle » Thu Aug 07, 2003 2:22 am
Hi,
after upgrading to 2.0-rc2. I tried it again it now it looks really good.
Mayby I ran gradm -F -L /learning.log -O /acl without the -F option!???!
Regards
after upgrading to 2.0-rc2. I tried it again it now it looks really good.
Mayby I ran gradm -F -L /learning.log -O /acl without the -F option!???!
Regards
- Egonle
- Posts: 2
- Joined: Tue Jul 15, 2003 7:34 am
8 posts
• Page 1 of 1