grsecurity forums

Hello,

Who can help me with a ACL for sshd?!
How should i configure the learning mode, to get the best result?

Thanx,

^r00t^

/usr/sbin/sshd lo {
/ h
-CAP_ALL
connect {
disabled
}
bind {
disabled
}
}

use that for a couple of days. stop the service, start it back up again a couple of times. Then run gradm -L -O /etc/grsec/acl

-Brad

Hey Their
Here's My sshd ACL version I run an SSHD SERVER for Shell./webhosting providing.

/usr/sbin/sshd lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}

}


after about 12 hours , here's the Learn mode Generated ACL

-----------------------------------------------------------------------------------
/usr/sbin/sshd o {
/var/log
/tmp/ssh-XXmHU33n/agent.2585 w
/tmp/ssh-XXZCt281/agent.2696 w
/tmp/ssh-XXXXkxqh/agent.848 w
/tmp/ssh-XX3De1zI/agent.2026 w
/tmp w
/proc/2896/fd/0
/proc/2895/fd/8
/proc/2842/fd/0
/proc/2829/fd/7
/proc/2697/fd/0
/proc/2696/fd/8
/proc/2645/fd/0
/proc/2643/fd/7
/proc/2586/fd/0
/proc/2585/fd/8
/proc/2536/fd/0
/proc/2535/fd/7
/proc/2309/fd/0
/proc/2308/fd/7
/proc/2027/fd/0
/proc/2026/fd/8
/proc
/home/gr
/home/admin
/etc/ssh/moduli r
/etc/security/pam_env.conf r
/etc/security/limits.conf r
/etc/security/console.perms r
/etc/pam.d/system-auth r
/etc/pam.d/sshd r
/etc/pam.d/other r
/etc/pam.d
/etc r
/dev/pts/1 rw
/dev/pts/0 w
/dev/pts
/ h
/usr/sbin/sshd x
/bin/bash x
/dev/log
/dev/null rw
/dev/ptmx rw
/dev/pts/2 rw
/dev/pts/3 rw
/dev/tty rw
/etc/ld.so.cache rx
/lib/i686/libc-2.2.5.so x
/lib rx
/lib/security rx
/sbin/insmod x
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/usr/lib/libz.so.1.1.3 x
/var/log/lastlog rw
/var/log/wtmp w
/var/run w
/var/run/sshd.pid w
/var/run/utmp rw
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
RES_FSIZE 201840 201840
RES_DATA 259856 259856
RES_STACK 152552 152552
RES_RSS 0 0
RES_NPROC 45 45
RES_NOFILE 14 9
RES_MEMLOCK 0 0
RES_AS 4305184 4305184
RES_LOCKS 0 0

connect {
66.201.235.79:53 dgram udp
}

bind {
disabled
}
}



I hope this could help

you can get rid of the subdirs of /proc in the acl, and the stuff for /tmp as well. The reduced ACL handles them. The reason I don't do this automatically in the code is because it's another O(n^2) operation...i'll find a way to make it faster though, so that I can do it automatically.

-Brad

Slackware 9.0b OpenSSH 3.5p1:

Code: Select all

/usr/sbin/sshd opX {

        / h

        /etc r
        /etc/ssh r
        /etc/ld.so.cache rx
        /etc/grsec h

        /var/empty
        /var/log
        /var/log/wtmp w
        /var/log/lastlog rw
        /var/run/utmp rw
        /var/run/sshd.pid rw
        /var/run

        /usr/lib rx
        /usr/libexec/sftp-server
        /usr/share r

        /home
        /lib rx
        /root
        /tmp rw
        /proc

        /dev/urandom r
        /dev/tty rw
        /dev/pts rw
        /dev/ptmx rw
        /dev/null rw
        /dev/log rw

        /bin/bash x
        /usr/sbin/sshd x

        -CAP_ALL
        +CAP_CHOWN
        +CAP_KILL
        +CAP_SETGID
        +CAP_SETUID
        +CAP_NET_BIND_SERVICE
        +CAP_SYS_CHROOT
        +CAP_DAC_OVERRIDE
        +CAP_SYS_TTY_CONFIG

        RES_CRASH 1 10m
        connect {
                127.0.0.1/32:21 stream tcp
                0.0.0.0/0:53 stream tcp
                0.0.0.0/0:113 stream tcp
                0.0.0.0/0:53 dgram udp
        }
        bind {
                0.0.0.0/0:22 stream tcp
        }
}

/usr/libexec/sftp-server oX {

        / h

        /etc/group r
        /etc/grsec h
        /etc/nsswitch.conf r
        /etc/ld.so.cache rx
        /etc/passwd r

        /usr/lib rx
        /usr/libexec/sftp-server x
        /usr/share r
        /tmp rw
        /root rw
        /proc
        /lib rx
        /home rw

        -CAP_ALL
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT
        connect {
                disabled
        }
        bind {
                disabled
        }
}