Page 1 of 1
learning mode - as well
Posted:
Tue Jul 15, 2003 8:55 amby Egonle
Hi,
I'm trying to get grsec (kernel 2.4.21, grsec-2rc1) running for quite a few days by now.
Starting with the basepolicy delivered by gradm2 I added below the base poliy (/):
/usr/bin/ssh-keygen lo {
/ h
-CAP_ALL
connect {
disabled
}
bind {
disabled
}
Running gradm2 -E reports problems with 'disa' so if's commented connect and bind.
After that enabling the policy is ok. So I run ssh-keygen.
I hoped to get lots of learning messages in syslog (*.debug is setup in syslog.conf) but gradm -L /var/log/messages -O /tmp/myacl doesn't return anything.
Any help on that point?
Posted:
Tue Jul 15, 2003 10:29 amby spender
You're trying to use a 1.9.x style configuration with a 2.x configuration. It simply won't work. Look at the example provided in the default ACL. Among the changes it notes:
"subject" must always appear before a subject ACL
connect and bind are now specified one line at a time
-Brad
Posted:
Wed Jul 16, 2003 4:08 amby Egonle
Well,
IMHO the changes aren't really obviously. I've looked at different acl (gentoo, debian,...) but these seem to be 1.x acls in this case. The default acl coming with gradm2 uses subject but I didn't think that this is a must.
-
Posted:
Tue Jul 22, 2003 6:54 amby Egonle
I've setup my acl files with subject lines so that should be ok.
That's my base file:
role admin sA
subject /
/ rwcdmxi
role default G
role_transitions admin
subject / ol {
/ h
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
-CAP_ALL
connect disabled
bind disabled
}
subject /usr/sbin/sshd ol {
/ h
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
-CAP_ALL
connect disabled
bind disabled
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE DEFAULT ROLE ###
subject /bin/login ol {
/ h
/bin h
/bin/bash x
/bin/login x
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc h
/usr h
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/var rw
/var/log/wtmp w
/var/run
/var/run/console
/var/run/console/josel rwc
/var/run/console.lock rwc
/var/run/utmp rw
/dev
/dev/console rw
/dev/fd0 w
/dev/fd0CompaQ w
/dev/fd0D360 w
/dev/fd0D720 w
/dev/fd0H1440 w
/dev/fd0H360 w
/dev/fd0H720 w
/dev/fd0d360 w
/dev/fd0h1200 w
/dev/fd0h1440 w
/dev/fd0h1476 w
/dev/fd0h1494 w
/dev/fd0h1660 w
/dev/fd0h360 w
/dev/fd0h410 w
/dev/fd0h420 w
/dev/fd0h720 w
/dev/log rw
/dev/radio0 w
/dev/radio1 w
/dev/radio2 w
/dev/radio3 w
/dev/tty2 rw
/dev/tty4 rw
/dev/video0 w
/dev/video1 w
/dev/video1394 w
/dev/video2 w
/dev/video3 w
/dev/vtx w
/dev/winradio0 w
/dev/winradio1 w
/dev/winradio2 w
/dev/winradio3 w
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/mnt
/root
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
After starting learning mode and running the system for some time I started building an acl off the logs. That's the result:
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE DEFAULT ROLE ###
subject / o {
/
/sbin rx
/bin x
/dev
/dev/console rw
/dev/fd0 w
/dev/fd0CompaQ w
/dev/fd0D360 w
/dev/fd0D720 w
/dev/fd0H1440 w
/dev/fd0H360 w
/dev/fd0H720 w
/dev/fd0d360 w
/dev/fd0h1200 w
/dev/fd0h1440 w
/dev/fd0h1476 w
/dev/fd0h1494 w
/dev/fd0h1660 w
/dev/fd0h360 w
/dev/fd0h410 w
/dev/fd0h420 w
/dev/fd0h720 w
/dev/kmem h
/dev/log rw
/dev/mem h
/dev/null rw
/dev/port h
/dev/radio0 w
/dev/radio1 w
/dev/radio2 w
/dev/radio3 w
/dev/tty rw
/dev/tty2 rw
/dev/tty4 rw
/dev/urandom r
/dev/video0 w
/dev/video1 w
/dev/video1394 w
/dev/video2 w
/dev/video3 w
/dev/vtx w
/dev/winradio0 w
/dev/winradio1 w
/dev/winradio2 w
/dev/winradio3 w
/dev/grsec h
/etc rxwcd
/etc/grsec h
/etc/ssh h
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/usr rx
/var rwc
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_IPC_LOCK
+CAP_SYS_MODULE
+CAP_SYS_TTY_CONFIG
RES_FSIZE 0 0
RES_DATA 0 0
RES_STACK 0 0
RES_RSS 0 0
RES_NPROC 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_AS 0 0
RES_LOCKS 0 0
bind 0.0.0.0/32:22 stream tcp
connect disabled
}
subject /usr/sbin/sshd o {
/ h
/usr/sbin/sshd x
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_STACK 0 0
RES_RSS 0 0
RES_NPROC 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_AS 0 0
RES_LOCKS 0 0
bind disabled
connect disabled
}
What I don't understand is why sshd doesn't get the real stuff like CONNECT and BIND entries. Why are those entries built on subject /?
Regards,
Josef
Posted:
Tue Jul 22, 2003 12:52 pmby spender
maybe your sshd isn't located in /usr/sbin. It could be in /usr/local/sbin. grep your learning log file for sshd and you should be able to find out its path (assuming sshd is running).
-Brad
Posted:
Thu Jul 24, 2003 8:25 amby Egonle
Hi,
sshd is in /usr/sbin/sshd
Thanks&Greetings
Posted:
Thu Jul 24, 2003 10:28 amby spender
could you mail me your learning logs?
spender@grsecurity.net
-Brad
Upgrade to rc2
Posted:
Thu Aug 07, 2003 2:22 amby Egonle
Hi,
after upgrading to 2.0-rc2. I tried it again it now it looks really good.
Mayby I ran gradm -F -L /learning.log -O /acl without the -F option!???!
Regards