View previous topic :: View next topic |
Author |
Message |
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Sun Feb 16, 2014 8:44 pm Post subject: /dev/grsec is missing |
|
|
I am having problems using gradm, because /dev/gradm is missing.
It appears if I use udev but that is causing more problems, just as /dev/pts not working for mysterious reasons.
I've not made a device node in a long time so I'm not sure how to create /dev/gradm myself. There must be something I've missed in the documentation for Hardened Gentoo. Though I can't find much on Google that is any help.
I managed to create the device node but it just disappeared after gradm -E was used.
Code: |
gentoo ~ # mknod -m 500 /dev/grsec c 1 13
gentoo ~ # gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
gentoo ~ # gradm -E
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
gentoo ~ # gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
gentoo ~ # gradm -E
gentoo ~ # gradm -F -L /etc/grsec/learning.log
Could not open /dev/grsec.
open: Permission denied
gentoo ~ # mknod -m 500 /dev/grsec c 1 13
mknod: ‘/dev/grsec’: No such file or directory
|
This is very strange, why isn't any of this documented?
Last edited by KintaroBC on Mon Feb 17, 2014 7:26 pm; edited 1 time in total |
|
Back to top |
|
|
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Sun Feb 16, 2014 10:45 pm Post subject: |
|
|
I've got some more information, after a reboot /dev/gradm was there. Upon running gradm -E an error appears in /var/log/messages and numerous things break.
Code: |
Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3: (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
|
Some programs work after this, some don't. I noticed dmesg doesn't work.
Code: |
Feb 16 22:41:11 gentoo kernel: [ 675.264164] grsec: From 192.168.0.3: (default:D:/) use of CAP_SYSLOG denied for /bin/dmesg[dmesg:3316] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
|
It seems grsec is denying gradm.
Last edited by KintaroBC on Mon Feb 17, 2014 7:25 pm; edited 1 time in total |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Mon Feb 17, 2014 11:59 am Post subject: |
|
|
Moved from Kernel & Hardware to Networking & Security as requested by the OP.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Mon Feb 17, 2014 7:16 pm Post subject: |
|
|
This is very strange, I've just noticed that after I've ran "grsec -E" that /etc/grsec ends up missing, along with lots of other stuff. I really need help here, there is nothing on the Grsecurity2 page on the Wiki that explains any of this.
I tried adding /sbin/gradm to /etc/grsec/policy but I get errors, and I think I need to do more than this. It stands to reason that the default policy at this point is broken.
Code: |
subject /sbin/gradm
/etc/grsec rw
+CAP_DAC_OVERRIDE
|
It says the subject is duplicate, but I'm really not sure why, considering I've searched for /sbin/gradm in their and it found nothing. Some other subject must apply to the file, but I have no idea which one.
Here is /etc/grsec/policy
Code: |
define grsec_denied {
/boot h
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
/etc/grsec h
/proc/kcore h
/proc/slabinfo h
/proc/modules h
/proc/kallsyms h
# hide and suppress logs about accessing this path
/lib/modules hs
/lib32/modules hs
/lib64/modules hs
/etc/ssh h
}
# usage:
# $grsec_denied
role shutdown sARG
subject / rvka
/
/dev
/dev/urandom r
/dev/random r
/etc r
/bin rx
/sbin rx
/lib rx
/lib32 rx
/libx32 rx
/lib64 rx
/usr rx
/proc r
$grsec_denied
-CAP_ALL
connect disabled
bind disabled
subject /sbin/init rvkao
/ rwcdmlxi
subject /sbin/halt rvkao
/ rwcdmlxi
/dev/initctl rwf
/run/initctl rwf
subject /sbin/shutdown rvkao
/ rwcdmlxi
/dev/initctl rwf
/run/initctl rwf
# Make sure to unauthenticate with gradm -u from
# the admin role after restarting a service
# The service started will run with admin
# privileges until you run gradm -u or your shell exits
role admin sA
subject / rvka
/ rwcdmlxi
role default G
role_transitions admin shutdown
subject /
/ r
/opt rx
/home rwxcd
/mnt rw
/dev
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/initctl rw
/dev/fd0 r
/dev/cdrom r
/bin rx
/sbin rx
/lib rx
/lib32 rx
/libx32 rx
/lib64 rx
/usr rx
# compilation of kernel code should be done within the admin role
/usr/src h
/etc rx
/proc rwx
/proc/sys r
/sys h
/root r
/run r
/tmp rwcd
/var rwxcd
/var/tmp rwcd
/var/log r
# hide the kernel images and modules
$grsec_denied
# if sshd needs to be restarted, it can be done through the admin role
# restarting sshd should be followed immediately by a gradm -u
/usr/sbin/sshd
-CAP_KILL
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_NET_RAW
-CAP_SYS_CHROOT
-CAP_SYS_BOOT
-CAP_SETFCAP
-CAP_SYSLOG
# RES_AS 100M 100M
# connect 192.168.1.0/24:22 stream tcp
# bind 0.0.0.0 stream dgram tcp udp
# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)
subject /usr/sbin/sshd dpo
/
/* h
/bin/bash x
/dev h
/dev/log rw
/dev/random r
/dev/urandom r
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/tty rw
/dev/tty? rw
/etc r
/etc/grsec h
/home
/home/*/.ssh/authorized_keys r
/lib rx
/lib32 rx
/libx32 rx
/lib64 rx
/root
/proc r
/proc/*/oom_adj rw
/proc/kcore h
/proc/sys h
/proc/sys/kernel/ngroups_max r
/selinux r
/usr/lib rx
/usr/lib32 rx
/usr/libx32 rx
/usr/lib64 rx
/usr/share/zoneinfo r
/var/log
/var/mail
/var/log/lastlog rw
/var/log/wtmp w
/var/run
/run
/var/run/sshd
/var/run/utmp rw
/var/run/utmpx rw
/var/run/.nscd_socket rw
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG
+CAP_AUDIT_WRITE
# to access user keys
+CAP_DAC_OVERRIDE
subject /usr/X11R6/bin/Xorg
/dev/mem rw
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
+CAP_SYS_RAWIO
subject /usr/X11R6/bin/XFree86
/dev/mem rw
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
+CAP_SYS_RAWIO
-PAX_SEGMEXEC
-PAX_PAGEEXEC
-PAX_MPROTECT
subject /usr/bin/ssh
/etc/ssh/ssh_config r
subject /usr/bin/postgres
/dev/log rw
subject /usr/bin/exim
/dev/log rw
subject /sbin/klogd
+CAP_SYS_ADMIN
subject /sbin/syslog-ng
+CAP_SYS_ADMIN
subject /usr/sbin/rsyslogd
+CAP_SYS_ADMIN
subject /usr/sbin/cron
/dev/log rw
subject /usr/sbin/crond
/dev/log rw
subject /bin/login
/dev/log rw
/var/log/wtmp w
/var/log/faillog rwcd
subject /bin/su
/dev/log rw
subject /usr/bin/sudo
/dev/log rw
subject /sbin/getty
/var/log/wtmp w
subject /sbin/init
/var/log/wtmp w
subject /usr/bin/xauth
/home r
/home/*/.Xauthority-* rwcdl
subject /sbin/gradm
/etc/grsec rw
+CAP_DAC_OVERRIDE
# prevent ld.so breakouts of subjects with /lib rx
# many distros clutter up /lib with shell scripts
# that can be easily hijacked for malicious purposes
subject /lib o
/ h
-CAP_ALL
connect disabled
bind disabled
subject /lib/ld-linux.so.2 o
/ h
-CAP_ALL
connect disabled
bind disabled
subject /lib64/ld-linux-x86-64.so.2 o
/ h
-CAP_ALL
connect disabled
bind disabled
|
It might all be related to the options I've turned on configuring the kernel.
Code: |
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=60
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=100
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
# CONFIG_GRKERNSEC_SETXID is not set
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=101
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
|
|
|
Back to top |
|
|
|