sshd causes kernel OOPS with grsec 2.1.0-2.6.10
Posted: Thu Jan 13, 2005 10:26 amHi folks,
I've installed grsec 2.1.0-2.6.10 with the secfix and now sshd is generating an oops when the RBAC system is enabled. When RBAC is disabled, no oops. Pax is not enabled in the kernel at all.
Here the ksymoops output, my policy and relevant section of my kernel config:
Ksymoops:
Policy:
Kernel Config Snippet:
I've installed grsec 2.1.0-2.6.10 with the secfix and now sshd is generating an oops when the RBAC system is enabled. When RBAC is disabled, no oops. Pax is not enabled in the kernel at all.
Here the ksymoops output, my policy and relevant section of my kernel config:
Ksymoops:
- Code: Select all
Jan 12 18:16:28 dor-secft1 kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000014
Jan 12 18:16:28 dor-secft1 kernel: printing eip:
Jan 12 18:16:28 dor-secft1 kernel: c029d853
Jan 12 18:16:28 dor-secft1 kernel: *pgd = f26fdd0c00000000
Jan 12 18:16:28 dor-secft1 kernel: *pmd = f26fdd0c00000000
Jan 12 18:16:28 dor-secft1 kernel: Oops: 0000 [#10]
Jan 12 18:16:28 dor-secft1 kernel: CPU: 0
Jan 12 18:16:28 dor-secft1 kernel: EIP: 0060:[<c029d853>] Not tainted VLI
Jan 12 18:16:28 dor-secft1 kernel: EFLAGS: 00010246 (2.6.10-grsec)
Jan 12 18:16:28 dor-secft1 kernel: eax: 00000000 ebx: 00000000 ecx: f2aa0800 edx: 00000000
Jan 12 18:16:28 dor-secft1 kernel: esi: 00900003 edi: 0000007f ebp: 00000000 esp: f26fddf4
Jan 12 18:16:28 dor-secft1 kernel: ds: 007b es: 007b ss: 0068
Jan 12 18:16:28 dor-secft1 kernel: Process bash (pid: 4651, threadinfo=f26fc000 task=f742c080)
Jan 12 18:16:28 dor-secft1 kernel: Stack: f7ee353c c17e79e0 f2a746c0 f26fde24 00000000 f7f55c08 00400000 00000286
Jan 12 18:16:28 dor-secft1 kernel: f7f55c08 00000005 f2aa0800 f2aa0800 00000000 00900003 00000000 00000004
Jan 12 18:16:28 dor-secft1 kernel: f3a99ec0 c17e79e0 f7ee3b9c c17e79e0 f7ee353c f2a746c0 00404010 f26fc000
Jan 12 18:16:28 dor-secft1 kernel: Call Trace:
Jan 12 18:16:29 dor-secft1 kernel: [<c029e475>]
Jan 12 18:16:29 dor-secft1 kernel: [<c02a51e6>]
Jan 12 18:16:29 dor-secft1 kernel: [<c0179d3f>]
Jan 12 18:16:29 dor-secft1 kernel: [<c0135bcc>]
Jan 12 18:16:29 dor-secft1 kernel: [<c017a46e>]
Jan 12 18:16:29 dor-secft1 kernel: [<c017ac62>]
Jan 12 18:16:29 dor-secft1 kernel: [<c016bc93>]
Jan 12 18:16:29 dor-secft1 kernel: [<c016bea5>]
Jan 12 18:16:29 dor-secft1 kernel: [<c016bfc9>]
Jan 12 18:16:29 dor-secft1 kernel: [<c012d537>]
Jan 12 18:16:29 dor-secft1 kernel: Code: 00 8b 4c 24 38 8b 89 bc 00 00 00 85 c9 89 4c 24 38 0f 85 27 ff ff ff 85 db 75 10 8b 7c 24 50 8b 7f 0c 89 7c 24 50 e9 98 fe ff ff <8b> 43 14 85 c0 74 4a 8b 44 24 48 85 c0 0f 84 7b fe ff ff 8b 44
Policy:
- Code: Select all
role admin sA
subject /
/ rwcdmxi
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role root uG
role_transitions admin
role_allow_ip 0.0.0.0/32
role_allow_ip 192.168.254.10/32
role_allow_ip 192.168.254.76/32
role_allow_ip 192.168.254.7/32
role_allow_ip 192.168.254.3/32
subject / {
/ h
/dev/initctl
/var/spool/at
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/basename o {
/ h
/bin/basename x
/etc/ld.so.cache r
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/bash o {
/ h
/bin x
/bin/hostname h
/etc/bashrc r
/etc/profile r
/lib
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libdl-2.3.2.so rx
/lib/libtermcap.so.2 rx
/lib/libtermcap.so.2.0.8 rx
/lib/tls rx
/proc r
/proc/kcore h
/proc/sys h
/sbin rx
/sbin/gradm rx
/tmp
/root/.bash_profile r
/root/.bash_history s
/root/.bash_logout s
/root/.bashrc r
/usr h
/usr/bin h
/usr/bin/crontab x
/usr/bin/killall x
/usr/bin/tail x
/usr/bin/vim x
/usr/lib
/usr/libexec/openssh/sftp-server rx
/usr/sbin h
/usr/sbin/logrotate x
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/etc
/etc/grsec
/etc/hosts r
/etc/ld.so.cache r
/etc/ssh h
/etc/shadow h
/etc/passwd h
/root
/root/xfer.sh x
/root/rsync-download.sh rx
/var
/var/spool
/var/tmp rxwcd
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_DAC_READ_SEARCH
bind disabled
connect 192.168.254.0/24:53 dgram udp
connect 192.168.254.0/24:389 stream tcp
}
subject /bin/cat o {
/ h
/bin h
/bin/cat x
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/root h
/root/checksshd.sh r
/usr h
/usr/libexec/openssh/sftp-server rx
/usr/lib r
/usr/share h
/usr/share/locale/locale.alias r
/var h
/var/tmp/.bruce1.size r
/var/tmp/.test.txt.size r
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/chmod o {
/ h
/bin h
/bin/chmod x
/etc h
/etc/ld.so.cache r
/home h
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/xfer w
-CAP_ALL
+CAP_FOWNER
+CAP_FSETID
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/chown o {
/ h
/bin h
/bin/chown x
/dev/log rw
/etc r
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/etc/shadow h
/home h
/lib rx
/usr/kerberos rx
/usr/lib rx
/xfer w
-CAP_ALL
+CAP_CHOWN
+CAP_SYS_ADMIN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
bind disabled
connect 192.168.254.3/32:53 dgram udp
connect 192.168.254.7/32:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
}
subject /bin/cut o {
/ h
/bin/cut x
/etc/ld.so.cache r
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/date o {
/ h
/bin h
/bin/date x
/etc h
/etc/ld.so.cache r
/etc/localtime r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/lib r
/usr/share h
/usr/share/locale/locale.alias r
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/echo o {
/ h
/bin/echo x
/etc/ld.so.cache r
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/gawk o {
/ h
/bin h
/bin/gawk x
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/i686/libm-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libdl-2.3.2.so rx
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/grep o {
/ h
/bin h
/bin/grep x
/etc h
/etc/ld.so.cache r
/lib sh
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/lib r
/usr/share h
/usr/share/locale/locale.alias r
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/gzip o {
/ h
/bin h
/bin/gzip x
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/xfer rwcd
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/login o {
/ sh
/bin h
/bin/bash x
/bin/login x
/dev h
/dev/log rw
/dev/tty1 rw
/dev/tty2 rw
/dev/tty3 rw
/dev/tty4 rw
/dev/tty5 rw
/dev/tty6 rw
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc
/proc/kcore h
/proc/sys h
/usr
/usr/kerberos rx
/usr/lib rx
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/usr/lib/sasl rx
/usr/lib/sasl/libanonymous.so.1.0.15 rx
/usr/lib/sasl/libcrammd5.so.1.0.15 rx
/usr/lib/sasl/libdigestmd5.so.0.0.17 rx
/usr/lib/sasl/liblogin.so.0.0.5 rx
/usr/lib/sasl/libplain.so.1.0.14 rx
/var h
/var/log/lastlog rw
/var/log/wtmp w
/var/run/utmp rw
/var/spool/mail
/root
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
bind 0.0.0.0/32:0 dgram ip
connect 192.168.254.3/32:53 dgram udp
connect 192.168.254.7/32:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
}
subject /bin/ls o {
/ h
/bin h
/bin/ls x
/home h
/lib rx
/proc r
/proc/1986
/proc/1986/mounts r
/proc/2176
/proc/2176/mounts r
/proc/2706
/proc/2706/mounts r
/proc/5700
/proc/5700/mounts r
/proc/kcore h
/proc/sys h
/usr h
/usr/lib rx
/usr/kerberos rx
/usr/share h
/usr/share/locale/locale.alias r
/etc r
/etc/ssh h
/etc/shadow h
/var
-CAP_ALL
+CAP_SYS_ADMIN
bind 0.0.0.0/32:0 dgram ip
connect 192.168.254.3/32:53 dgram udp
connect 192.168.254.7/32:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
subject /bin/mail o {
/
/bin h
/bin/mail x
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/tmp rwcd
/usr h
/usr/lib rx
/usr/sbin/sendmail.sendmail x
/dev/grsec h
/proc/kcore h
/proc/sys h
/var/log h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SETGID
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/more o {
/ h
/bin h
/bin/more x
/etc h
/etc/ld.so.cache r
/etc/termcap r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libtermcap.so.2.0.8 rx
/usr h
/usr/lib r
/usr/share h
/usr/share/locale/locale.alias r
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/mv o {
/ h
/bin h
/bin/mv x
/etc h
/etc/ld.so.cache r
/home h
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/xfer rwcd
/root
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/ps o {
/ h
/bin h
/bin/ps x
/dev h
/dev/pts h
/dev/pts/0
/dev/tty1
/dev/tty2
/dev/tty3
/dev/tty4
/dev/tty5
/dev/tty6
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libnss_files-2.3.2.so rx
/lib/libproc.so.2.0.7 rx
/proc r
/proc/kcore h
/proc/sys h
-CAP_ALL
+CAP_SYS_PTRACE
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/rm o {
/ h
/bin h
/bin/rm x
/etc h
/etc/grsec
/etc/grsec/@! wd
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/tls rx
/usr h
/usr/lib r
/usr/share h
/usr/share/locale/locale.alias r
/var h
/var/lock/subsys
/var/lock/subsys/xfer wd
/var/tmp
/var/tmp/.bruce1.size wd
/var/tmp/.test.txt.size wd
/xfer wd
/root
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /bin/sleep o {
/ h
/bin h
/bin/sleep x
/etc h
/etc/ld.so.cache r
/lib rx
/lib/i686 h
/lib/i686/libc-2.3.2.so rx
/lib/i686/libm-2.3.2.so rx
/lib/i686/libpthread-0.9.so rx
/lib/ld-2.3.2.so x
/lib/librt-2.3.2.so rx
/proc h
/proc/sys/kernel/version r
/usr/lib rx
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
subject /root/purge-dl.sh o {
/
/bin h
/bin/bash x
/bin/rm xi
/bin/sleep x
/dev h
/dev/tty rw
/etc r
/etc/ld.so.cache r
/etc/mtab r
/lib rx
/lib/ld-2.3.2.so x
/lib/libdl-2.3.2.so rx
/lib/libtermcap.so.2.0.8 rx
/lib/tls/libc-2.3.2.so rx
/proc h
/proc/meminfo r
/root r
/root/purge-dl.sh rx
/usr h
/usr/bin/find x
/usr/bin/stat rxi
/usr/bin/logger x
/var/log h
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
bind disabled
connect 192.168.254.0/24:53 dgram udp
connect 192.168.254.0/24:389 stream tcp
}
subject /root/xfer.sh o {
/ h
/bin rxi
/dev r
/dev/log rw
/dev/tty rw
/etc r
/etc/ld.so.cache r
/lib rxi
/proc r
/proc/kcore h
/proc/sys h
/sbin h
/sbin/iptables x
/tmp rwcd
/usr h
/usr/bin rxi
/usr/kerberos rx
/usr/lib rxi
/var h
/var/lock/subsys rwcd
/var/lock/subsys/xfer rwcd
/var/tmp rwcd
/xfer/upload rwcd
/root s
/root/.gnupg rwcd
/root/xfer.sh rxi
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_FOWNER
+CAP_LINUX_IMMUTABLE
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETGID
+CAP_NET_ADMIN
+CAP_NET_RAW
+CAP_IPC_LOCK
+CAP_FSETID
bind disabled
connect 192.168.254.0/24:53 dgram udp
connect 192.168.254.0/24:389 stream tcp
}
subject /sbin/consoletype o {
/ h
/etc/ld.so.cache r
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/sbin/consoletype x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /sbin/init o {
/ h
/dev h
/dev/console rw
/dev/initctl
/sbin h
/sbin/mingetty x
/sbin/update x
/var h
/var/log/wtmp w
/var/run/utmp rw
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /sbin/iptables o {
/ h
/etc h
/etc/ld.so.cache r
/lib rx
/sbin h
/sbin/iptables x
-CAP_ALL
+CAP_NET_ADMIN
+CAP_NET_RAW
+CAP_SYS_ADMIN
bind disabled
connect 0.0.0.0/32:0 raw_sock raw_proto
}
subject /sbin/klogd o {
/ h
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /sbin/mdadm {
/ h
/dev h
/dev/md* r
/proc h
/proc/mdstat r
-CAP_ALL
+CAP_SYS_RAWIO
bind disabled
connect disabled
}
subject /sbin/mingetty o {
/ h
/bin h
/bin/login x
/dev h
/dev/tty1 rw
/dev/tty2 rw
/dev/tty3 rw
/dev/tty4 rw
/dev/tty5 rw
/dev/tty6 rw
/etc h
/etc/issue r
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so rx
/lib/tls rx
/sbin h
/sbin/mingetty x
/var h
/var/log/wtmp a
/var/run/utmp rw
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
subject /sbin/update o {
/
/etc/ld.so.cache r
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/sbin/update x
/etc/ssh h
/etc/grsec h
/dev/grsec h
/proc/kcore h
/proc/sys h
/etc/shadow h
/etc/passwd h
/var/log h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/dircolors o {
/ h
/etc h
/etc/DIR_COLORS r
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/bin/dircolors x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /sbin/syslogd o {
/ h
/etc/services r
/etc/syslog.conf r
/var/log a
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/crontab o {
/ h
/dev h
/dev/log rw
/etc h
/etc/ld.so.cache r
/etc/localtime r
/etc/nsswitch.conf r
/etc/passwd r
/lib rx
/usr h
/usr/bin h
/usr/bin/crontab x
/usr/lib r
/usr/share h
/usr/share/locale/locale.alias r
/var h
/var/spool
/var/spool/cron
/var/spool/cron/root r
-CAP_ALL
+CAP_SETUID
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/find o {
/ h
/bin/rm rxi
/etc h
/etc/ld.so.cache r
/home h
/home/bruce r
/home/bruce/upload
/home/bruce/download rwcd
/lib h
/lib/tls rx
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/bin/find x
/root rs
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/getent o {
/ h
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/usr h
/usr/kerberos rx
/usr/bin/getent x
/usr/lib/sasl rx
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
bind 0.0.0.0/32:0 dgram ip
connect 192.168.254.3/32:53 dgram udp
connect 192.168.254.7/32:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
}
subject /usr/bin/gpg o {
/ h
/dev h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libdl-2.3.2.so rx
/lib/libnsl-2.3.2.so rx
/root h
/root/.gnupg rwcd
/usr h
/usr/bin/gpg x
/usr/lib/libgdbm.so.2.0.0 rx
/usr/lib/libz.so.1.1.3 rx
/xfer h
/xfer/upload r
-CAP_ALL
+CAP_IPC_LOCK
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/killall o {
/ h
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/bin/killall x
/proc r
/proc/kcore h
/proc/sys h
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/logger o {
/ h
/dev h
/dev/log rw
/etc h
/etc/ld.so.cache r
/etc/localtime r
/lib rx
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/proc s
/usr h
/usr/lib rx
/usr/bin/logger x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/md5sum o {
/ h
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/bin/md5sum x
/xfer r
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/tail o {
/ h
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/bin h
/usr/bin/tail x
/usr/lib r
/usr/share h
/usr/share/locale/locale.alias r
/var h
/var/log/messages r
/var/log/secure r
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/tr o {
/ h
/etc/ld.so.cache r
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr/bin/tr x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/vim o {
/ h
/etc h
/etc/grsec r
/etc/grsec/@! wc
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/lib rx
/proc h
/proc/sys/kernel/version r
/usr h
/usr/bin h
/usr/bin/vim x
/usr/lib rx
/usr/share r
/var h
/var/spool/cron
/var/spool/cron/.root.swp rwcd
/var/spool/cron/.root.swpx rwcd
/var/spool/cron/4913 wcd
/var/spool/cron/root rwcd
/var/spool/cron/root~ rwcd
/root
/root/.viminfo rwcd
/root/.viminfo.tmp rwcd
/root/.vimrc r
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/wc o {
/ h
/etc/ld.so.cache r
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr/bin/wc x
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/libexec/openssh/sftp-server o {
/
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc r
/usr h
/usr/kerberos h
/usr/kerberos/lib rx
/usr/lib rx
/usr/libexec h
/usr/libexec/openssh/sftp-server rx
/var
/var/tmp rwc
/var/log h
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SYS_ADMIN
bind 0.0.0.0/32:0 dgram ip
connect 192.168.254.3/32:53 dgram udp
connect 192.168.254.7/32:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
}
subject /usr/sbin/sshd o {
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/dev/ptmx rw
/dev/pts rw
/dev/tty rw
/etc r
/etc/grsec h
/home
/home/phist/.ssh r
/lib rx
/lib/libnss_dns-2.3.2.so rx
/lib/libnss_ldap-2.3.2.so rx
/proc r
/root/.ssh r
/usr h
/usr/kerberos/lib/libdes425.so.3.0 rx
/usr/lib rx
/usr/lib/sasl rx
/usr/libexec/openssh/sftp-server rx
/usr/sbin/sshd rx
/var h
/var/empty/sshd
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/run/utmp rw
/root
/xfer
/xfer/.ssh
/xfer/.ssh/authorized_keys2 r
-CAP_ALL
+CAP_SETGID
+CAP_CHOWN
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
subject /root/rsync-download.sh o {
/
/bin xi
/bin/bash xi
/bin/chown x
/bin/chmod xi
/bin/mail rxi
/bin/mkdir rxi
/bin/mv rxi
/bin/rmdir rxi
/dev h
/dev/urandom r
/dev/tty rw
/etc r
/etc/ld.so.cache r
/home r
/home/bruce r
/home/bruce/download rwcd
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/usr rx
/usr/bin rxi
/usr/lib rx
/usr/bin/getent rx
/usr/bin/rsync rx
/usr/bin/logger rx
/usr/bin/ssh rxi
/root r
/root/.ssh r
/root/rsync-download.sh rxi
/tmp rwcd
/xfer r
/xfer/download rxcwd
/var
/var/tmp rwcd
/var/lock/subsys rwcd
# /var/lock/subsys/xfer rwcd
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_SETGID
+CAP_SETUID
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
+CAP_DAC_READ_SEARCH
+CAP_DAC_OVERRIDE
bind disabled
connect 192.168.254.0/24:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
connect 192.168.254.77/32:22 stream tcp
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
subject /usr/bin/rsync o {
/ h
/dev/tty r
/dev/random r
/dev/urandom r
/etc r
/etc/ssh r
/etc/grsec h
/etc/shadow h
/home h
/home/bruce r
/home/bruce/download rwcd
/lib rx
/usr h
/usr/bin h
/usr/bin/rsync x
/usr/bin/ssh xi
/usr/kerberos
/usr/kerberos/lib rx
/usr/lib rx
/root
/root/.ssh r
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_CHOWN
+CAP_FOWNER
+CAP_SETUID
bind disabled
connect 192.168.254.0/24:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
connect 192.168.254.77/32:22 stream tcp
}
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
subject /usr/sbin/sendmail.sendmail o {
/
/dev h
/dev/null rw
/dev/log rw
/etc rw
/etc/ld.so.cache rx
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc hs
/proc/*/mounts r
/proc/cpuinfo r
/proc/loadavg r
/root
/root/.forward r
/usr h
/usr/bin/procmail s
/usr/kerberos rx
/usr/lib rx
/usr/sbin h
/usr/sbin/sendmail.sendmail x
/var r
/var/tmp rwcd
/var/spool/mqueue rwcd
+CAP_ALL
connect 192.168.254.3/32:53 dgram udp
connect 192.168.254.13/32:25 stream tcp
connect 192.168.254.13/32:389 stream tcp
connect 192.168.254.7/32:53 dgram udp
bind disabled
}
subject /usr/sbin/crond o {
/ h
/bin h
/bin/bash x
/etc r
/etc/cron.d
/etc/cron.d/sysstat r
/etc/cron.d/sysstat~ r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/usr/kerberos/lib rx
/usr/lib rx
/usr/sbin/sendmail.sendmail rx
/var h
/var/spool/clientqueue rwcd
/var/spool/mqueue rwcd
/var/spool/cron
/var/spool/cron/root r
/root
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_ADMIN
bind 0.0.0.0/32:0 dgram ip
connect 192.168.254.3/32:53 dgram udp
connect 192.168.254.13/32:389 stream tcp
connect 192.168.254.7/32:53 dgram udp
}
subject /usr/sbin/logrotate o {
/ h
/bin h
/bin/bash xi
/bin/cat xi
/bin/kill xi
/dev
/dev/null rw
/dev/tty rw
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc
/proc/meminfo r
/usr h
/usr/bin/killall x
/usr/lib/libpopt.so.0.0.0 rx
/usr/sbin/logrotate x
/var rwcd
/root r
/tmp rwcd
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
Kernel Config Snippet:
- Code: Select all
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
# CONFIG_GRKERNSEC_PROC_USERGROUP is not set
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set
#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=1
CONFIG_GRKERNSEC_FLOODBURST=50
#
# PaX
#
# CONFIG_PAX is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
# CONFIG_PAX_DEFAULT_SEGMEXEC is not set
# CONFIG_KEYS is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
# CONFIG_SECURITY_SECLVL is not set
# CONFIG_SECURITY_SELINUX is not set
#