chroot break attempt logging

Discuss and suggest new grsecurity features

chroot break attempt logging

Postby cormander » Fri Feb 15, 2008 11:37 pm

In the chroot options there are things to protect breaking out of a chroot... calling chroot inside a chroot, calling fchdir, etc.

Would it be possible to add an option for the logging of these attempts?
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: chroot break attempt logging

Postby spender » Fri Feb 22, 2008 11:23 am

You mean a separate option to enable/disable the logging of those things? All the features but capability restrictions have an associated log. Do you have an application that causes many log messages to be produced or something?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: chroot break attempt logging

Postby cormander » Wed Mar 12, 2008 12:54 pm

In this example, all grsecurity sysctl options are enabled except:

/proc/sys/kernel/grsecurity/chroot_enforce_chdir
/proc/sys/kernel/grsecurity/chroot_deny_chroot

Logging into a machine with the jk_chrootsh shell:

Code: Select all
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail/home/corman by /usr/sbin/sshd[sshd:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: exec of /usr/sbin/jk_chrootsh (-jk_chrootsh ) by /usr/sbin/sshd[sshd:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail by /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/0 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail/home/corman by /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/bash within chroot by process /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500
Mar 12 12:44:41 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/bash (/bin/bash ) by /usr/sbin/jk_chrootsh[jk_chrootsh:5590] uid/euid:500/500 gid/egid:500/500, parent /usr/sbin/sshd[sshd:5589] uid/euid:500/500 gid/egid:500/500


It logs the exec of the jk_rootsh shell, the chdirs, the exec of bash, and the exec of bash within the chroot, but it doesn't actually log the fact that jk_rootsh made a call to chroot()

Additionally, if the user executes a binary inside the jail that is a suid binary that makes a call to chroot() (ie: to break out of the chroot), it logs the chdirs enforced by grsecurity, but not the actual calls to chroot().

Example c code:

Code: Select all
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

int main(int argc, char *const argv[])
{
  int i;

  setuid(0);
  setgid(0);

  chroot("/tmp");
  for (i = 0; i < 100; i++)
    chdir("..") ;
  chroot(".");

  execv("/bin/ls", argv);

  printf("%s: %s\n", argv[0], strerror(errno));

  exit(errno);

}


It's compiled, put as /bin/tester inside the chroot, and chmod'd to 4755. Here is the logs from exec from within the chroot:

Code: Select all
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/tester within chroot by process /usr/jail/bin/bash[bash:5596] uid/euid:500/500 gid/egid:500/500, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: exec of /usr/jail/bin/tester (tester ) by /usr/jail/bin/bash[bash:5596] uid/euid:500/500 gid/egid:500/500, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail/home by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to /usr/jail by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to /usr by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: chdir to / by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500
Mar 12 12:45:25 localhost last message repeated 96 times
Mar 12 12:45:25 localhost kernel: grsec: From 10.x.x.x: exec of /bin/ls (tester ) by /usr/jail/bin/tester[tester:5596] uid/euid:0/0 gid/egid:0/0, parent /usr/jail/bin/bash[bash:5590] uid/euid:500/500 gid/egid:500/500


That's all good, but again, doesn't actually log the two calls to chroot().

If either chroot_enforce_chdir or chroot_deny_chroot are turned on, this binary doesn't work at all, which is the expected behavior. But the fact that chroot() was called, and did or didn't work isn't being logged.

I realize that properly enforcing TPE on users will prevent them from running their own code, but I'd still like to see the option for logging of the chroot() call, and whether or not it was successful.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm


Return to grsecurity development

cron