Problem enabling RBAC

Submit your RBAC policies or suggest policy improvements

Re: Problem enabling RBAC

Postby Stephane » Fri Aug 22, 2014 8:35 am

Well, I'm sure I can reproduce it, do you want me to do so ?

By the way, one more question Brad, I'm still having problems with my shutdown role, when running "shutdown -h now" the system goes down but cannot unmount my local filesytems...

How can I fix it ?
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: Problem enabling RBAC

Postby spender » Fri Aug 22, 2014 8:52 am

I haven't yet tested the shutdown role with systemd, so I wouldn't be surprised if it doesn't work.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Problem enabling RBAC

Postby Stephane » Fri Aug 22, 2014 9:03 am

Ok let me know if you write something to make it work with systemd... I'll be interested for sure !

Concerning this ssh problem, I'll try to post you my full logs later when I make another rbac profile on a new vm with other apps...
Thanks !
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: Problem enabling RBAC

Postby Stephane » Mon Aug 25, 2014 4:21 am

Hi Brad,

Same problem today using full learing mode on a brand new VM and ssh.
role user1 require +CAP_SETUID which is not set by full learning mode whereas I've logged at least twice with this user while learning.

I also have another problem with snmp (I've let the Full learing mode running for 10 minutes...) :
[ 2311.137679] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2313.300161] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2313.302511] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2313.304621] grsec: (snmp:U:/) denied access to hidden file /proc/stat by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2314.138438] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

And systemd of course like you said :

grsec: (root:U:/lib/systemd/systemd-logind) denied access to hidden file /etc/localtime by /lib/systemd/systemd-logind[systemd-logind:490] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2316.345456] grsec: (root:U:/lib/systemd/systemd-logind) use of CAP_MAC_OVERRIDE denied for /lib/systemd/systemd-logind[systemd-logind:490] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

This can be fixed by hand of course.
My logs/policy generated are too big to be posted here, so I may email you if you agree.
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: Problem enabling RBAC

Postby spender » Mon Aug 25, 2014 7:15 am

Hi Stephane,

Yes, please do, thanks!

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Problem enabling RBAC

Postby spender » Mon Aug 25, 2014 8:25 am

Hi Stephane,

One thing I noticed is that the snmpd accesses are being recorded through the /etc/init.d inherit-learn rule in learn_config. I would recommend instead that you start the full learning after all init scripts have run so that you only record the privilege they need during normal operation. The problem is that when you disable the RBAC system and enable it again, it will lose those inherited subjects and be dropped into the normal snmpd subject that has different privilege.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Problem enabling RBAC

Postby Stephane » Mon Aug 25, 2014 8:41 am

Ok this make sense to me, so once it's done, I'll have to place my upstart script running "gradm -E" when everything is already running. This way no need to learn booting/shutdown activities (tell me if I'm wrong)
Ok thanks, I'll keep you in touch.
Let's do it.
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: Problem enabling RBAC

Postby spender » Mon Aug 25, 2014 8:56 am

As for the CAP_SETUID, I see the problem there now as well, but I'll have to think about about a proper solution. The reason is that I added additional restrictions on the ability to change roles so that they can only be done by processes with CAP_SETUID/CAP_SETGID. sshd is changing real uid to user1, then doing a setresuid to 0. Since that changed the real uid to 0, that would involve a role change to root, requiring my additional CAP_SETUID check. However, since we're in full learning mode, there are no role changes, so it won't log the need for CAP_SETUID in the context of the user1 role. Anyway, as I mentioned, let me give this one some thought.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Problem enabling RBAC

Postby Stephane » Mon Aug 25, 2014 9:44 am

Ok, so I started my Full learning after all my init.d scripts have run. No problem except that CAP_SETUID.
My VM (ubuntu 14.04) is running a mysql server, but no role/subject created in the resuting policy (it was running during the learning process)
I'd like my RBAC to be active by default on boot so :
I've figured out I cannot use upstart to order my init scripts (bug with .legacy-bootordering) so I've just put a gradm -E in rc.local which is supposed to start on the latest position, but my mysql-server does not start (no logs about it in dmesg), I just have these logs :

[ 3.897378] grsec: (root:U:/sbin/gradm) grsecurity 3.0 RBAC system loaded by /sbin/gradm[gradm:1070] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.local[rc.local:1068] uid/euid:0/0 gid/egid:0/0
[ 3.899890] grsec: (root:U:/) denied create of /tmp/end for writing by /bin/touch[touch:1071] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.local[rc.local:1068] uid/euid:0/0 gid/egid:0/0
[ 3.902251] grsec: (root:U:/) denied open of /run/utmp for reading by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.903359] grsec: (root:U:/) denied open of /run/utmp for reading by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.910420] grsec: (root:U:/) denied open of /dev/ptmx for reading writing by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.911751] grsec: (root:U:/) denied open of /dev/kmsg for writing by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.913322] grsec: more alerts, logging disabled for 10 seconds
[ 18.193438] grsec: (root:U:/) denied open of /run/lock/ntpdate-ifup.lock for reading by /usr/bin/lockfile-create[lockfile-create:862] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:861] uid/euid:0/0 gid/egid:0/0
[ 20.840507] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.853523] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.855600] grsec: (root:U:/) use of CAP_SYSLOG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.857425] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.859144] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.860909] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.862676] grsec: more alerts, logging disabled for 10 seconds
[ 21.960013] random: nonblocking pool is initialized
[ 32.632634] grsec: From 192.23.4.40: (user1:U:/usr/bin/sudo) denied create of /var/lib/sudo/user1/3 for writing by /usr/bin/sudo[sudo:1134] uid/euid:1000/0 gid/egid:1000/1000, parent /bin/bash[bash:1120] uid/euid:1000/1000 gid/egid:1000/1000
[ 33.195508] grsec: (root:U:/) denied open of /run/lock/ntpdate-ifup.lock for reading by /usr/bin/lockfile-create[lockfile-create:862] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:861] uid/euid:0/0 gid/egid:0/0
[ 40.448089] grsec: From 192.23.4.40: (root:U:/sbin/gradm) successful change to special role admin (id 1) by /sbin/gradm[gradm:1146] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1136] uid/euid:0/0 gid/egid:0/0
[ 43.033974] grsec: (root:U:/) denied access to hidden file /sys/devices/system/node by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 43.035552] grsec: (root:U:/) denied access to hidden file /sys/devices/system/cpu by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 43.037067] grsec: (root:U:/) denied access to hidden file /sys/bus/pci/devices by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 53.197235] grsec: (root:U:/) denied open of /run/lock/ntpdate-ifup.lock for reading by /usr/bin/lockfile-create[lockfile-create:862] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:861] uid/euid:0/0 gid/egid:0/0
[ 63.034005] grsec: (root:U:/) denied access to hidden file /sys/devices/system/node by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 63.035944] grsec: (root:U:/) denied access to hidden file /sys/devices/system/cpu by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 63.038536] grsec: (root:U:/) denied access to hidden file /sys/bus/pci/devices by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Did I missed something ? Do I need to wait more before starting rbac ?
Thx
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: Problem enabling RBAC

Postby Stephane » Mon Aug 25, 2014 10:01 am

Yes it seems that a simple sleep 10 in my rc.local do the trick.
I still have the above logs, I'll try to fix it...
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: Problem enabling RBAC

Postby spender » Mon Aug 25, 2014 7:43 pm

Hi Stephane,

The CAP_SETUID/CAP_SETGID problem will be fixed in the next patches -- thanks for not giving up and seeing it through to a resolution :)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Problem enabling RBAC

Postby Stephane » Tue Aug 26, 2014 3:41 am

You're welcome :) thank you Brad, I'm going to test the new patch today...
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: Problem enabling RBAC

Postby Stephane » Tue Aug 26, 2014 7:30 am

It seems to work like a charm !
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Previous

Return to RBAC policy development