grsecurity forums

[countermode]

Hi,

I've just collected a huge learning log with

Code: Select all

inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily


etc. in learn_config.

Nonetheless, I got the following policy entries

Code: Select all

# Role: root
subject /bin/rm o {
        /                               h
        /bin                            h
        /bin/rm                         x
        /etc                            h
        /etc/ld.so.cache                r
        /lib                            h
        /lib/ld-2.17.so                 x
        /lib/libc-2.17.so               rx
        /var                            h
        /var/spool/cron/lastrun/cron.daily      wd
        /var/spool/cron/lastrun/cron.hourly     wd
        /var/spool/cron/lastrun/cron.weekly     wd
        /var/spool/cron/lastrun/lock    wd
        -CAP_ALL
        bind    disabled
        connect disabled
}


Is that supposed to be like that?

[spender]

That rm must have been executed from somewhere else. You'll have to find out where from (a start would be iteratively looking for executions going back from /bin/rm in the learning log). It might be something specific to your distro that I can just include in an update to the learn_config.

-Brad

[countermode]

That rm must have been executed from somewhere else

Well no, nothing I can think of. That must have been something from the cron corner. I let the system (a web server) run for a while and logged on and off a couple of times without doing much. (And certainly I did not issue a rm command.) If you could just give me the meaning of the eleven fields in the learning log I could inspect the relevant entries.


Regards

[spender]

It was probably from crond itself, as it's likely you have a line like:

Code: Select all

rm -f /var/spool/cron/lastrun/cron.daily

etc
in your /etc/crontab, which seems specific to some distros. Instead of adding "inherit-learn /usr/sbin/cron" line to learn_config, though, I'd recommend that you instead split out those commands into separate shell scripts in protected directories and then have crond execute those shell scripts instead. Then add inherit-learn lines for those shell scripts (or put them all in a single directory and add a single inherit-learn line) and it should resolve the problem.

-Brad

[countermode]

It was probably from crond itself, as it's likely you have a line like:

Code: Select all

rm -f /var/spool/cron/lastrun/cron.daily

etc
in your /etc/crontab, which seems specific to some distros.

-Brad

Well, this is a gentoo distro. The culprit seems to be indeed /etc/crontab, which says:

Code: Select all

# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly
59  *  * * *    root    rm -f /var/spool/cron/lastrun/cron.hourly
9  3  * * *     root    rm -f /var/spool/cron/lastrun/cron.daily
19 4  * * 6     root    rm -f /var/spool/cron/lastrun/cron.weekly
29 5  1 * *     root    rm -f /var/spool/cron/lastrun/cron.monthly
*/10  *  * * *  root    test -x /usr/sbin/run-crons && /usr/sbin/run-crons


where run-crons is a shell script that calls ln, touch and rm. So that's where the policy entries come from. However, run-crons also calls find but there's no policy entry for find. Very odd...

Anyway, is there a description of the learning log format?


Regards