grsecurity forums

[Peter]

Hi,
I try to setup my first grsec.

I have here my default acl:

Code: Select all

role default
subject / {
        /                               h
        -CAP_ALL
        connect disabled
        bind    disabled
}


but everytime I want to enable learning,
there comes an error:

Code: Select all

root@pc1:/etc/grsec# gradm -F -L /etc/grsec/learning.logs
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
root@pc1:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@pc1:/etc/grsec# gradm -F -L /etc/grsec/learning.logs
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
....


In grsec PDF manual there is that I shell began learning with:

Code: Select all

gradm -F -L /etc/grsec/learning.logs


So, what I do wrong?

I think a typical Newbie question, sorry for boring you.
But I try since 2 days, study manual and I really cannot find out the failure

Gruss,
Peter

[Peter]

I really did not find out the failure.

Could someone help me?

Is it so difficult to start learning modus?

[fonya]

I really did not find out the failure.

Could someone help me?

Is it so difficult to start learning modus?

No, it just needed to read the message what You get:

Code: Select all

No password exists for special role admin.
Run gradm -P admin to set up a password for the role.


So it sad: run `gradm -P admin`

The root, and admin are special, and default role, they must be set some passwd.

[Peter]

I really did not find out the failure.

Could someone help me?

Is it so difficult to start learning modus?

No, it just needed to read the message what You get:

Code: Select all

No password exists for special role admin.
Run gradm -P admin to set up a password for the role.


So it sad: run `gradm -P admin`

The root, and admin are special, and default role, they must be set some passwd.

Yes, but it is like a circle, as I wrote in first topic:

Code: Select all

root@pc1:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@pc1:/etc/grsec# gradm -F -L /etc/grsec/learning.logs
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
root@pc1:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@pc1:/etc/grsec# gradm -F -L /etc/grsec/learning.logs
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
root@pc1:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@pc1:/etc/grsec# gradm -F -L /etc/grsec/learning.logs
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
...


[spender]

Try with a proper default role that should look like:

role default G
role_transitions admin
subject /
/ h
-CAP_ALL
connect disabled
bind disabled

-Brad

[Peter]

Sorry, I am too stupid.

It doesnt work.
I clean up my /etc/grsec and that is what I have:

Code: Select all

root@pc1:/etc/grsec# ls -la
total 28
drwxr-xr-x   2 root root 4096 Dec  7 02:06 .
drwxr-x--x 147 root root 8192 Dec  7 00:54 ..
-rw-r--r--   1 root root   94 Dec  7 02:03 acl
-rw-------   1 root root 4448 Nov 29 00:26 learn_config
-rw-------   1 root root 2848 Dec  7 02:03 pw
root@pc1:/etc/grsec# uname -a
Linux pc1 2.6.14.2-grsec-1-amd64-k8-smp #1 SMP Sun Nov 27 03:45:28 CET 2005 i686 GNU/Linux
root@pc1:/etc/grsec#


and then:

Code: Select all

root@pc1:/etc/grsec# cat acl
role default G
role_transitions admin
subject /
/ h
-CAP_ALL
connect disabled
bind disabled

root@pc1:/etc/grsec# cat learn_config
#This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.
#
#It accepts lines in the form of <command> <pathname>
#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
#and always-reduce-path
#
#inherit-learn, no-learn, and inherit-no-learn operate only with
#full learning
#
#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path,
#and high-protected-path operate on both full and and regular learning
#(subject and role learning)
#
#inherit-learn changes the learning process for the specified path
#by throwing all learned accesses for every binary executed by the
#processes contained in the pathname into the subject specified
#by the pathname.  This is useful for cron in the case of full
#system learning, so that scripts that eventually end up executing
#mv or rm with privilege don't cause the root policy to grant
#that privilege to mv or rm in all cases.
#
#no-learn allows processes within the path to perform any operation
#that normal system usage would allow without restriction.  If
#a process is generating a huge number of learning logs, it may be
#best to use this command on that process and configure its policy
#manually.
#
#inherit-no-learn combines the above two cases, such that processes
#within the specified path will be able to perform any normal system
#operation without restriction as will any binaries executed by
#these processes.
#
#high-reduce-path modifies the heuristics of the learning process
#to weight in favor of reducing accesses for this path
#
#dont-reduce-path modifies the heuristics of the learning process
#so that it will never reduce accesses for this path
#
#always-reduce-path modifies the heuristics of the learning process
#so that the path specified will always have all files and directories
#within it reduced to the path specified.
#
#protected-path specifies a path on your system that is considered an
#important resource.  Any process that modifies one of these paths
#is given its own subject in the learning process, facilitating
#a secure policy.
#
#high-protected-path specifies a path that should be hidden from
#all processes but those that access it directly.  It is recommended
#to use highly sensitive files for this command.
#
#regular expressions are not supported for pathnames in this config file

always-reduce-path /dev/pts
always-reduce-path /var/spool/qmailscan/tmp
always-reduce-path /var/spool/exim4
always-reduce-path /var/run/screen
always-reduce-path /usr/share/locale
always-reduce-path /usr/share/zoneinfo
always-reduce-path /usr/share/terminfo
always-reduce-path /tmp
always-reduce-path /var/tmp

high-reduce-path /proc
high-reduce-path /lib
high-reduce-path /lib64
high-reduce-path /lib/tls
high-reduce-path /lib64/tls
high-reduce-path /lib/security
high-reduce-path /lib/modules
high-reduce-path /usr/lib
high-reduce-path /usr/lib/tls
high-reduce-path /usr/lib64/tls
high-reduce-path /var/lib
high-reduce-path /usr/bin
high-reduce-path /usr/sbin
high-reduce-path /sbin
high-reduce-path /bin
high-reduce-path /usr/local/share
high-reduce-path /usr/local/bin
high-reduce-path /usr/local/sbin
high-reduce-path /usr/local/etc
high-reduce-path /usr/local/lib
high-reduce-path /usr/share
high-reduce-path /usr/X11R6/lib

dont-reduce-path /
dont-reduce-path /home
dont-reduce-path /dev
dont-reduce-path /usr
dont-reduce-path /var
dont-reduce-path /opt

protected-path /etc
protected-path /lib
protected-path /boot
protected-path /usr
protected-path /opt
protected-path /var
protected-path /dev/log
protected-path /root

high-protected-path /etc/ssh
high-protected-path /proc/kcore
high-protected-path /proc/sys
high-protected-path /proc/bus
high-protected-path /etc/passwd
high-protected-path /etc/shadow
high-protected-path /etc/shadow-
high-protected-path /etc/gshadow
high-protected-path /etc/gshadow-
high-protected-path /var/log
high-protected-path /dev/mem
high-protected-path /dev/kmem
high-protected-path /dev/port
high-protected-path /dev/log
high-protected-path /sys
high-protected-path /etc/ppp/chap-secrets
high-protected-path /etc/ppp/pap-secrets
high-protected-path /etc/samba/smbpasswd

inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily
inherit-learn /etc/cron.weekly
inherit-learn /etc/cron.monthly
inherit-learn /etc/init.d
inherit-learn /etc/rc.d/init.d

root@pc1:/etc/grsec#                             


And a pw file, but it looks like binary.

And it looks like ever before:

Code: Select all

root@pc1:/etc/grsec# gradm -F -L /etc/grsec/learning.logs
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
root@pc1:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@pc1:/etc/grsec# gradm -F -L /etc/grsec/learning.logs
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
root@pc1:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
....


So, where is my Newbie fault.

Thank you for your time and support,
Peter.

[spender]

Your /etc/grsec/pw file looks much too large, and you're missing the /etc/grsec/policy file. Can make sure you're using the latest version of grsecurity/gradm, let gradm's 'make install' install the /etc/grsec/policy file (/etc/grsec/acl isn't used anymore), remove your /etc/grsec/pw file, and recreate it with gradm -P and gradm -P admin?

-Brad

[fonya]

Code: Select all

root@pc1:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.


I nowhere see, did You run 'gradm -P', for the root role, not the admin role?

[Peter]

Your /etc/grsec/pw file looks much too large, and you're missing the /etc/grsec/policy file. Can make sure you're using the latest version of grsecurity/gradm, let gradm's 'make install' install the /etc/grsec/policy file (/etc/grsec/acl isn't used anymore), remove your /etc/grsec/pw file, and recreate it with gradm -P and gradm -P admin?

-Brad

Hi,
okay I:
rm -rf /etc/grsec
reinstall gradm and began new from start and.....
it works...!?

Dont know why now..?

But I have sometimes a have talent in this.

Thank you for your time and support!