grsecurity forums


https://forums.grsecurity.net./

When i start gradm - i have no control more ... :\

https://forums.grsecurity.net./viewtopic.php?f=3&t=51

Page 1 of 1

When i start gradm - i have no control more ... :\

PostPosted: Fri Apr 26, 2002 5:35 am
by Stefan
Hello GR Users!

I have installed grsec and selected the following settings:

# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Buffer Overflow Protection
#
CONFIG_GRKERNSEC_PAX=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_MMAPFIXED=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y

#
# Access Control Lists
#
CONFIG_GRKERNSEC_ACL=y
# CONFIG_GR_DEBUG is not set
CONFIG_GRKERNSEC_ACL_CAPLOG=y
CONFIG_GRADM_PATH="/sbin/gradm"
CONFIG_GR_MAXTRIES=2
CONFIG_GR_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_FD=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_SIG=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_PTRACE=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_KBMAP=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_SUID=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_IPC is not set
CONFIG_GRKERNSEC_TTYROOT=y
# CONFIG_GRKERNSEC_TTYROOT_PHYS is not set
CONFIG_GRKERNSEC_TTYROOT_SERIAL=y
# CONFIG_GRKERNSEC_TTYROOT_PSEUDO is not set
CONFIG_GRKERNSEC_FORKBOMB=y
CONFIG_GRKERNSEC_FORKBOMB_GID=100
CONFIG_GRKERNSEC_FORKBOMB_SEC=40
CONFIG_GRKERNSEC_FORKBOMB_MAX=20

# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_GROUP=y
CONFIG_GRKERNSEC_PTRACE_GID=10

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
CONFIG_GRKERNSEC_RANDTTL=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Miscellaneous Features
#
CONFIG_GRKERNSEC_FLOODTIME=20
# CONFIG_GRKERNSEC_COREDUMP is not set

- I have took spenders ACL files from the
ACL development forum. If i try to start
gradm with "gradm -E" - my box is out of my
control NOHTING works more - i can only
do a hardware reset. I use slackware 8 on my box.

I have installed IP tables too - maybe ACL fight
with grsec and this is the reason?

Here is a port from the log ( i have removed the
lins for programs that i have not installed in the
acl files - i paste the nox in a 2 posting ).

Can anyone help me please?

PostPosted: Fri Apr 26, 2002 5:40 am
by Stefan
The lines which let me know that programes are
not there have i removed in acl files

grsec: Duplicate entries in config file /etc/grsec/proc.acl at line 21
grsec: more duplicate entries, logging disabled for 20 seconds
grsec: Unable to locate file /var/log/httpd on line 7 of /etc/grsec/file.acl
grsec: more , logging disabled for 20 seconds
grsec: Loaded grsecurity 2.0
grsec: attempt to mmap 32059 771 executableby (bash:14800) UID(508) EUID(508), parent (sshd:14799) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to mmap 228923 771 executableby (gradm:14803) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to access hidden file with inode 357447 dev 771 by (bash:14763) UID(0) EUID(0), parent (sshd:14762) UID(0) EUID(0)
grsec: exec of /bin/sh by (perl:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0) attempted to use 1 malicious environment(s)
attempt to mmap 32059 771 executableby (sh:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: more malicious environments, logging disabled for 20 seconds
grsec: attempt to mmap 32082 771 executableby (ls:14881) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: exec of /bin/sh by (perl:14882) UID(0) EUID(0), parent (perl:14879) UID(0) EUID(0) attempted to use 1 malicious environment(s)
grsec: attempt to mmap 224791 771 executableby (reboot:15005) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds

I hope anyone can help me please ...

Regards,
Stefan

PostPosted: Fri Apr 26, 2002 11:26 am
by spender
i'm not sure what the problem could be...most likely it's an error in the configuration (the mmap logs usually only show up when the process acl does not have permission to execute itself)

1.9.5 should fix all your problems, since the parsing has a much greater level of error handling and acl analysis to make sure nothing goes wrong.

-Brad

problems

PostPosted: Fri Apr 26, 2002 4:01 pm
by michaeld
Mail me your configuration files if you don't want to wait until 1.9.5 and I'll fix them up (michael@grsecurity.net)

Fixed ;]

PostPosted: Sun Apr 28, 2002 10:55 pm
by Stefan
The problem was that there
was a few programs in acl files
and not on my system.

Thanks for your help michaeld 8)

Post here the fixed and the non-fixed ACL's pls :)

PostPosted: Tue Apr 30, 2002 8:55 am
by Sea-you
Post here the fixed and the non-fixed ACL's pls :) We should learn from that :)
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/