Can't stop learning
Posted: Mon May 29, 2006 9:29 amI've started full learning with
in dmesg
. In dmesg at that time
policy and learn_config is default from gradm.
When I tried reload
Intresting things with /sbin/grlearn
why files /usr and /lib/ld-2.3.6.so become hidden, when I'm only in learning mode?
on another server(amd64) with tha same kernel,patch,gradm and default policy and learn_config all ok
- Code: Select all
voron grsec # gradm -F -L /var/gradm.log
voron grsec # gradm -S
The RBAC system is currently enabled.
voron grsec #
in dmesg
- Code: Select all
[17179869.112000] grsec: (default:D:/sbin/gradm) grsecurity 2.1.9 RBAC system loaded by /sbin/gradm[gradm:19644] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:20047] uid/euid:0/0 gid/egid:0/0
- Code: Select all
voron grsec # gradm -D
Password:
Invalid password.
voron grsec #
- Code: Select all
uname -r
2.6.16.9-grsec
- Code: Select all
voron grsec # strace gradm -D
execve("/sbin/gradm", ["gradm", "-D"], [/* 45 vars */]) = 0
uname({sys="Linux", node="voron.noname.com.ua", ...}) = 0
brk(0) = 0x8076da8
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/usr/X11R6/lib/tls/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/X11R6/lib/tls/i686", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/usr/X11R6/lib/tls/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/X11R6/lib/tls", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/usr/X11R6/lib/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/X11R6/lib/i686", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/usr/X11R6/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/X11R6/lib", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/opt/upspilot/lib/tls/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/opt/upspilot/lib/tls/i686", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/opt/upspilot/lib/tls/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/opt/upspilot/lib/tls", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/opt/upspilot/lib/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/opt/upspilot/lib/i686", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/opt/upspilot/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/opt/upspilot/lib", 0xbf9c6e80) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=85719, ...}) = 0
mmap2(NULL, 85719, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f9c000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20P\1\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1202712, ...}) = 0
mmap2(NULL, 1146076, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e84000
madvise(0xb7e84000, 1146076, MADV_SEQUENTIAL|0x1) = 0
mmap2(0xb7f96000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x111) = 0xb7f96000
mmap2(0xb7f9a000, 7388, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f9a000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e83000
mprotect(0xb7f96000, 4096, PROT_READ) = 0
mprotect(0xb7fc6000, 4096, PROT_READ) = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e83b30, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f9c000, 85719) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\215\240\0\321", 4) = 4
close(3) = 0
geteuid32() = 0
getuid32() = 0
uname({sys="Linux", node="voron.noname.com.ua", ...}) = 0
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = 0
brk(0) = 0x8076da8
brk(0x8097da8) = 0x8097da8
brk(0x8098000) = 0x8098000
getcwd("/etc/grsec", 4095) = 11
mlock(0xbf9c7430, 256) = 0
ioctl(0, TIOCEXCL, 0) = 0
open("/dev/grsec", O_WRONLY) = 3
write(3, "0Q\234\277\31\2\0\0\34\1\0\0", 12) = 1
close(3) = 0
mlock(0xbf9c5110, 256) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fb0000
write(1, "Password: ", 10Password: ) = 10
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon -echo ...}) = 0
read(0, "password\n", 128) = 9
write(1, "\n", 1
) = 1
ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
mlock(0x8076dc0, 284) = 0
open("/dev/grsec", O_WRONLY) = 3
write(3, "\300m\7\10\31\2\0\0\34\1\0\0", 12) = -1 EPERM (Operation not permitted)
write(2, "Invalid password.\n", 18Invalid password.
) = 18
close(3) = 0
ioctl(0, TIOCNXCL, 0x12) = 0
munmap(0xb7fb0000, 4096) = 0
exit_group(1) = ?
voron grsec #
. In dmesg at that time - Code: Select all
[17204165.920000] grsec: From 192.168.90.2: (default:D:/sbin/gradm) denied access to hidden file /usr by /sbin/gradm[gradm:31639] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:21152] uid/euid:0/0 gid/egid:0/0
[17204165.920000] grsec: From 192.168.90.2: (default:D:/sbin/gradm) denied access to hidden file /usr by /sbin/gradm[gradm:31639] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:21152] uid/euid:0/0 gid/egid:0/0
[17204165.920000] grsec: From 192.168.90.2: (default:D:/sbin/gradm) denied access to hidden file /usr by /sbin/gradm[gradm:31639] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:21152] uid/euid:0/0 gid/egid:0/0
[17204165.924000] grsec: From 192.168.90.2: (default:D:/sbin/gradm) denied access to hidden file /usr by /sbin/gradm[gradm:31639] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:21152] uid/euid:0/0 gid/egid:0/0
[17204165.924000] grsec: From 192.168.90.2: (default:D:/sbin/gradm) denied access to hidden file /usr by /sbin/gradm[gradm:31639] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:21152] uid/euid:0/0 gid/egid:0/0
[17204165.924000] grsec: more alerts, logging disabled for 10 seconds
- Code: Select all
default 68 0 0 /usr/bin/strace / 1 1 /sbin/gradm 16 192.168.90.2
default 68 0 0 /usr/bin/strace / 1 1 /sbin/gradm 8 192.168.90.2
policy and learn_config is default from gradm.
When I tried reload
- Code: Select all
voron grsec # gradm -R
Password:
Error changing directory to /etc/grsec
Error: No such file or directory
voron grsec #
Intresting things with /sbin/grlearn
- Code: Select all
voron grsec # which grlearn
/sbin/grlearn
voron grsec # /sbin/grlearn
-su: /sbin/grlearn: No such file or directory
voron grsec # dmesg|tail -n 6
[17210075.716000] grsec: From 192.168.90.2: (default:D:/sbin/grlearn) denied access to hidden file /lib/ld-2.3.6.so by /sbin/grlearn[bash:27409] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9992] uid/euid:0/0 gid/egid:0/0
[17210128.864000] grsec: From 192.168.90.2: (default:D:/sbin/grlearn) denied access to hidden file /lib/ld-2.3.6.so by /sbin/grlearn[strace:29836] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:26585] uid/euid:0/0 gid/egid:0/0
[17210143.384000] grsec: From 192.168.90.2: (default:D:/sbin/grlearn) denied access to hidden file /lib/ld-2.3.6.so by /sbin/grlearn[strace:23295] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:29821] uid/euid:0/0 gid/egid:0/0
[17210167.356000] grsec: From 192.168.90.2: (default:D:/sbin/grlearn) denied access to hidden file /lib/ld-2.3.6.so by /sbin/grlearn[strace:4499] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:32739] uid/euid:0/0 gid/egid:0/0
[17210244.800000] grsec: From 192.168.90.2: (default:D:/sbin/grlearn) denied access to hidden file /lib/ld-2.3.6.so by /sbin/grlearn[bash:31715] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9992] uid/euid:0/0 gid/egid:0/0
[17210344.140000] grsec: From 192.168.90.2: (default:D:/sbin/grlearn) denied access to hidden file /lib/ld-2.3.6.so by /sbin/grlearn[bash:11521] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9992] uid/euid:0/0 gid/egid:0/0
why files /usr and /lib/ld-2.3.6.so become hidden, when I'm only in learning mode?
on another server(amd64) with tha same kernel,patch,gradm and default policy and learn_config all ok
- Code: Select all
[685550.142233] grsec: From 192.168.78.1: (default:D:/sbin/gradm) grsecurity 2.1.9 RBAC system loaded by /sbin/gradm[gradm:17125] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5173] uid/euid:0/0 gid/egid:0/0
[703355.772703] grsec: From 192.168.78.1: shutdown auth success for /sbin/gradm[gradm:26095] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23572] uid/euid:0/0 gid/egid:0/0
