Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
/dev/grsec is missing
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
KintaroBC
n00b
n00b


Joined: 15 Feb 2014
Posts: 54
Location: Australia

PostPosted: Sun Feb 16, 2014 8:44 pm    Post subject: /dev/grsec is missing Reply with quote

I am having problems using gradm, because /dev/gradm is missing.

It appears if I use udev but that is causing more problems, just as /dev/pts not working for mysterious reasons.

I've not made a device node in a long time so I'm not sure how to create /dev/gradm myself. There must be something I've missed in the documentation for Hardened Gentoo. Though I can't find much on Google that is any help.

I managed to create the device node but it just disappeared after gradm -E was used.

Code:

gentoo ~ # mknod -m 500 /dev/grsec c 1 13
gentoo ~ # gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
gentoo ~ # gradm -E
No password exists for special role admin.
Run gradm -P admin to set up a password for the role.
gentoo ~ # gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
gentoo ~ # gradm -E
gentoo ~ # gradm -F -L /etc/grsec/learning.log
Could not open /dev/grsec.
open: Permission denied

gentoo ~ # mknod -m 500 /dev/grsec c 1 13
mknod: ‘/dev/grsec’: No such file or directory


This is very strange, why isn't any of this documented?


Last edited by KintaroBC on Mon Feb 17, 2014 7:26 pm; edited 1 time in total
Back to top
View user's profile Send private message
KintaroBC
n00b
n00b


Joined: 15 Feb 2014
Posts: 54
Location: Australia

PostPosted: Sun Feb 16, 2014 10:45 pm    Post subject: Reply with quote

I've got some more information, after a reboot /dev/gradm was there. Upon running gradm -E an error appears in /var/log/messages and numerous things break.

Code:

Feb 16 22:40:56 gentoo kernel: [  659.863486] grsec: From 192.168.0.3: (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0


Some programs work after this, some don't. I noticed dmesg doesn't work.

Code:

Feb 16 22:41:11 gentoo kernel: [  675.264164] grsec: From 192.168.0.3: (default:D:/) use of CAP_SYSLOG denied for /bin/dmesg[dmesg:3316] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0


It seems grsec is denying gradm.


Last edited by KintaroBC on Mon Feb 17, 2014 7:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Mon Feb 17, 2014 11:59 am    Post subject: Reply with quote

Moved from Kernel & Hardware to Networking & Security as requested by the OP.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
KintaroBC
n00b
n00b


Joined: 15 Feb 2014
Posts: 54
Location: Australia

PostPosted: Mon Feb 17, 2014 7:16 pm    Post subject: Reply with quote

This is very strange, I've just noticed that after I've ran "grsec -E" that /etc/grsec ends up missing, along with lots of other stuff. I really need help here, there is nothing on the Grsecurity2 page on the Wiki that explains any of this.

I tried adding /sbin/gradm to /etc/grsec/policy but I get errors, and I think I need to do more than this. It stands to reason that the default policy at this point is broken.

Code:

subject /sbin/gradm
        /etc/grsec rw
        +CAP_DAC_OVERRIDE


It says the subject is duplicate, but I'm really not sure why, considering I've searched for /sbin/gradm in their and it found nothing. Some other subject must apply to the file, but I have no idea which one.

Here is /etc/grsec/policy
Code:

define grsec_denied {
        /boot           h
        /dev/grsec      h
        /dev/kmem       h
        /dev/mem        h
        /dev/port       h
        /etc/grsec      h
        /proc/kcore     h
        /proc/slabinfo  h
        /proc/modules   h
        /proc/kallsyms  h
        # hide and suppress logs about accessing this path
        /lib/modules    hs
        /lib32/modules  hs
        /lib64/modules  hs
        /etc/ssh        h
}
# usage:
# $grsec_denied

role shutdown sARG
subject / rvka
        /
        /dev
        /dev/urandom    r
        /dev/random     r
        /etc            r
        /bin            rx
        /sbin           rx
        /lib            rx
        /lib32          rx
        /libx32         rx
        /lib64          rx
        /usr            rx
        /proc r
        $grsec_denied
        -CAP_ALL
        connect disabled
        bind disabled

subject /sbin/init rvkao
        / rwcdmlxi
subject /sbin/halt rvkao
        / rwcdmlxi
        /dev/initctl rwf
        /run/initctl rwf
subject /sbin/shutdown rvkao
        / rwcdmlxi
        /dev/initctl rwf
        /run/initctl rwf

# Make sure to unauthenticate with gradm -u from
# the admin role after restarting a service
# The service started will run with admin
# privileges until you run gradm -u or your shell exits

role admin sA
subject / rvka
        / rwcdmlxi

role default G
role_transitions admin shutdown
subject /
        /               r
        /opt            rx
        /home           rwxcd
        /mnt            rw
        /dev
        /dev/urandom    r
        /dev/random     r
        /dev/zero       rw
        /dev/input      rw
        /dev/psaux      rw
        /dev/null       rw
        /dev/tty?       rw
        /dev/console    rw
        /dev/tty        rw
        /dev/pts        rw
        /dev/ptmx       rw
        /dev/dsp        rw
        /dev/mixer      rw
        /dev/initctl    rw
        /dev/fd0        r
        /dev/cdrom      r
        /bin            rx
        /sbin           rx
        /lib            rx
        /lib32          rx
        /libx32         rx
        /lib64          rx
        /usr            rx
# compilation of kernel code should be done within the admin role
        /usr/src        h
        /etc            rx
        /proc           rwx
        /proc/sys       r
        /sys            h
        /root           r
        /run            r
        /tmp            rwcd
        /var            rwxcd
        /var/tmp        rwcd
        /var/log        r
# hide the kernel images and modules
        $grsec_denied

# if sshd needs to be restarted, it can be done through the admin role
# restarting sshd should be followed immediately by a gradm -u
        /usr/sbin/sshd

        -CAP_KILL
        -CAP_SYS_TTY_CONFIG
        -CAP_LINUX_IMMUTABLE
        -CAP_NET_RAW
        -CAP_MKNOD
        -CAP_SYS_ADMIN
        -CAP_SYS_RAWIO
        -CAP_SYS_MODULE
        -CAP_SYS_PTRACE
        -CAP_NET_ADMIN
        -CAP_NET_BIND_SERVICE
        -CAP_NET_RAW
        -CAP_SYS_CHROOT
        -CAP_SYS_BOOT
        -CAP_SETFCAP
        -CAP_SYSLOG

#       RES_AS 100M 100M

#       connect 192.168.1.0/24:22 stream tcp
#       bind    0.0.0.0 stream dgram tcp udp

# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)

subject /usr/sbin/sshd dpo
        /
        /*              h
        /bin/bash       x
        /dev            h
        /dev/log        rw
        /dev/random     r
        /dev/urandom    r
        /dev/null       rw
        /dev/ptmx       rw
        /dev/pts        rw
        /dev/tty        rw
        /dev/tty?       rw
        /etc            r
        /etc/grsec      h
        /home
        /home/*/.ssh/authorized_keys r
        /lib            rx
        /lib32          rx
        /libx32         rx
        /lib64          rx
        /root
        /proc           r
        /proc/*/oom_adj rw
        /proc/kcore     h
        /proc/sys       h
        /proc/sys/kernel/ngroups_max r
        /selinux        r
        /usr/lib        rx
        /usr/lib32      rx
        /usr/libx32     rx
        /usr/lib64      rx
        /usr/share/zoneinfo r
        /var/log
        /var/mail
        /var/log/lastlog        rw
        /var/log/wtmp           w
        /var/run
        /run
        /var/run/sshd
        /var/run/utmp           rw
        /var/run/utmpx          rw
        /var/run/.nscd_socket   rw

        -CAP_ALL
        +CAP_CHOWN
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT
        +CAP_SYS_RESOURCE
        +CAP_SYS_TTY_CONFIG
        +CAP_AUDIT_WRITE
        # to access user keys
        +CAP_DAC_OVERRIDE

subject /usr/X11R6/bin/Xorg
        /dev/mem        rw

        +CAP_SYS_ADMIN
        +CAP_SYS_TTY_CONFIG
        +CAP_SYS_RAWIO

subject /usr/X11R6/bin/XFree86
        /dev/mem        rw

        +CAP_SYS_ADMIN
        +CAP_SYS_TTY_CONFIG
        +CAP_SYS_RAWIO

        -PAX_SEGMEXEC
        -PAX_PAGEEXEC
        -PAX_MPROTECT

subject /usr/bin/ssh
        /etc/ssh/ssh_config r

subject /usr/bin/postgres
        /dev/log rw

subject /usr/bin/exim
        /dev/log rw

subject /sbin/klogd
        +CAP_SYS_ADMIN

subject /sbin/syslog-ng
        +CAP_SYS_ADMIN

subject /usr/sbin/rsyslogd
        +CAP_SYS_ADMIN

subject /usr/sbin/cron
        /dev/log rw

subject /usr/sbin/crond
        /dev/log rw

subject /bin/login
        /dev/log rw
        /var/log/wtmp w
        /var/log/faillog rwcd

subject /bin/su
        /dev/log rw

subject /usr/bin/sudo
        /dev/log rw

subject /sbin/getty
        /var/log/wtmp w

subject /sbin/init
        /var/log/wtmp w

subject /usr/bin/xauth
        /home r
        /home/*/.Xauthority-* rwcdl

subject /sbin/gradm
        /etc/grsec rw
        +CAP_DAC_OVERRIDE

# prevent ld.so breakouts of subjects with /lib rx

# many distros clutter up /lib with shell scripts
# that can be easily hijacked for malicious purposes
subject /lib o
        / h
        -CAP_ALL
        connect disabled
        bind disabled

subject /lib/ld-linux.so.2 o
        / h
        -CAP_ALL
        connect disabled
        bind disabled

subject /lib64/ld-linux-x86-64.so.2 o
        / h
        -CAP_ALL
        connect disabled
        bind disabled


It might all be related to the options I've turned on configuring the kernel.

Code:

CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=60
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=100
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
# CONFIG_GRKERNSEC_SETXID is not set
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=101
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum