autogened acls

Discuss and suggest new grsecurity features

autogened acls

Postby mwimer » Wed Dec 31, 1969 8:00 pm

I was thinking about some ways to autogenerate ACLs for a running system. The idea that sounds the easiest and the most likely to work is adding a special training period to the ACL kernel code. I can gather all the requests passing through the system before it enforces the values in proc.acl and file.acl and see which programs need to have additional privileges. In this way I could then create a very strict ruleset that would only be loosened by requirements of the actual running system not.
mwimer
 
Posts: 13
Joined: Mon Mar 04, 2002 1:54 pm

yup

Postby spender » Wed Dec 31, 1969 8:00 pm

Agreed...I was thinking about that the other day, and I think the way to make it the easiest for people, and the best way to allow it to be integrated into linux distributions is to make the learning mode a mode that is passed via gradm and not a compile-time option.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby mwimer » Mon Mar 04, 2002 8:32 pm

Ok i have the file part of the acl autogen code sorta working, right now its written in perl so that i can prototype it. This code doesn't take into account the CAP_* code. As you can see from the data i will need to come up with a scheme to reduce the acl set so that it doesn't become too large. And it looks like that some files like /dev/tty will fallout nicely with a simple /dev/tty w in the file.acl file.


With file.acl ==
/ rwx
/etc r
/etc/rc.d rx
/etc/passwd r
/etc/shadow
/var/log/wtmp rw
/var/log ar
/tmp rw
/etc/grsec hr
/boot r
/lib rx
/usr rx
/etc/lilo.conf r
/bin rx
/sbin rx
/dev r
/dev/null rw
/dev/zero rw

and proc.acl ==

/bin/login {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
}

/usr/sbin/sshd p {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
+CAP_NET_BIND_SERVICE
}

/bin/su {
/ rwx
/etc/shadow ro
}

/usr/bin/sudo {
/ rwx
/etc/shadow ro
}

/usr/bin/passwd {
/ rwx
/etc/shadow rwo
}

/etc/rc.d/init.d/halt vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
+CAP_NET_ADMIN
}

/etc/rc.d/rc vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_NET_ADMIN
}

I was able to get results like this when running for about a day on a quiescent redhat 7.1 machine ==
Access (/dev/tty) with r !~ w.
/usr/bin/ssh's attemt to access /dev/tty would have failed.
Access (/dev/tty) with r !~ w.
/bin/sh's attemt to access /dev/tty would have failed.
Access (/dev/tty) with r !~ w.
/usr/local/etc/scripts/redhat_hourly.sh's attemt to access /dev/tty would have failed.
Access (/dev/tty) with r !~ w.
/usr/bin/run-parts's attemt to access /dev/tty would have failed.
Access (/etc/cron.hourly/sysstat) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.hourly/sysstat would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.hourly/sysstat's attemt to access /dev/tty would have failed.
Access (/dev/tty) with r !~ w.
/usr/lib/sa/sa1's attemt to access /dev/tty would have failed.
Access (/dev/tty) with r !~ w.
/usr/bin/lesspipe.sh's attemt to access /dev/tty would have failed.
Access (/etc) with r !~ w.
/sbin/ldconfig's attemt to access /etc would have failed.
Access (/etc/ld.so.cache~) with r !~ w.
/sbin/ldconfig's attemt to access /etc/ld.so.cache~ would have failed.
Access (/var/log/sa) with ar !~ w.
/usr/lib/sa/sadc's attemt to access /var/log/sa would have failed.
Access (/etc/cron.daily/0anacron) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.daily/0anacron would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.daily/0anacron's attemt to access /dev/tty would have failed.
Access (/etc/cron.daily/logrotate) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.daily/logrotate would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.daily/logrotate's attemt to access /dev/tty would have failed.
Access (/etc/cron.daily/makewhatis.cron) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.daily/makewhatis.cron would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.daily/makewhatis.cron's attemt to access /dev/tty would have failed.
Access (/etc/cron.daily/slocate.cron) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.daily/slocate.cron would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.daily/slocate.cron's attemt to access /dev/tty would have failed.
Access (/etc/cron.daily/sysstat) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.daily/sysstat would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.daily/sysstat's attemt to access /dev/tty would have failed.
Access (/dev/tty) with r !~ w.
/usr/lib/sa/sa2's attemt to access /dev/tty would have failed.
Access (/var/log/sa) with ar !~ w.
/usr/lib/sa/sa2's attemt to access /var/log/sa would have failed.
Access (/var/log/sa/sa21) with ar !~ w.
/bin/rm's attemt to access /var/log/sa/sa21 would have failed.
Access (/etc/cron.daily/tetex.cron) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.daily/tetex.cron would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.daily/tetex.cron's attemt to access /dev/tty would have failed.
Access (/etc/cron.daily/tmpwatch) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.daily/tmpwatch would have failed.
Access (/var/log) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log would have failed.
Access (/var/log/messages) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/messages would have failed.
Access (/var/log/messages.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/messages.5 would have failed.
Access (/var/log/secure) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/secure would have failed.
Access (/var/log/secure.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/secure.5 would have failed.
Access (/var/log/maillog) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/maillog would have failed.
Access (/var/log/maillog.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/maillog.5 would have failed.
Access (/var/log/spooler) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/spooler would have failed.
Access (/var/log/spooler.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/spooler.5 would have failed.
Access (/var/log/boot.log) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/boot.log would have failed.
Access (/var/log/boot.log.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/boot.log.5 would have failed.
Access (/var/log/cron) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/cron would have failed.
Access (/var/log/cron.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/cron.5 would have failed.
Access (/var/log/xferlog) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/xferlog would have failed.
Access (/var/log/xferlog.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/xferlog.5 would have failed.
Access (/var/log/httpd) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/httpd would have failed.
Access (/var/log/httpd/access_log) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/httpd/access_log would have failed.
Access (/var/log/httpd/access_log.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/httpd/access_log.5 would have failed.
Access (/var/log/httpd/error_log) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/httpd/error_log would have failed.
Access (/var/log/httpd/error_log.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/httpd/error_log.5 would have failed.
Access (/var/log/httpd/ssl_request_log) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/httpd/ssl_request_log would have failed.
Access (/var/log/httpd/ssl_request_log.5) with ar !~ w.
/usr/sbin/logrotate's attemt to access /var/log/httpd/ssl_request_log.5 would have failed.
Access (/var/log/sa/sa22) with ar !~ w.
/bin/rm's attemt to access /var/log/sa/sa22 would have failed.
Access (/var/log/sa/sar21) with ar !~ w.
/bin/rm's attemt to access /var/log/sa/sar21 would have failed.
Access (/etc/cron.weekly/0anacron) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.weekly/0anacron would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.weekly/0anacron's attemt to access /dev/tty would have failed.
Access (/etc/cron.weekly/makewhatis.cron) with r !~ x.
/usr/bin/run-parts's attemt to access /etc/cron.weekly/makewhatis.cron would have failed.
Access (/dev/tty) with r !~ w.
/etc/cron.weekly/makewhatis.cron's attemt to access /dev/tty would have failed.
Access (/var/log/sa/sa23) with ar !~ w.
/bin/rm's attemt to access /var/log/sa/sa23 would have failed.
Access (/var/log/sa/sar22) with ar !~ w.
/bin/rm's attemt to access /var/log/sa/sar22 would have failed.
mwimer
 
Posts: 13
Joined: Mon Mar 04, 2002 1:54 pm

Gracld question

Postby mwimer » Tue Apr 02, 2002 2:16 pm

In this code snippet, GR_PROC_ACCESS and GR_PROC_HIDDEN are both set to GR_HIDDEN. When i take an bitmask mode that has the GR_HIDDEN bit set and conver it to a string mode what should the GR_PROC_ACCESS/GR_PROC_HIDDEN be converted to? 'h'?

<pre>
/* Process label declarations */

enum
{
GR_PROC_READ = GR_READ,
GR_PROC_APPEND = GR_APPEND,
GR_PROC_WRITE = (GR_WRITE|GR_APPEND),
/* write access implies append access*/
GR_PROC_EXEC = GR_EXEC,
GR_PROC_ACCESS = GR_HIDDEN,
GR_PROC_OVERRIDE = GR_OVERRIDE,
GR_PROC_HIDDEN = GR_HIDDEN,
/* Hidden, unkillable(except by init) process.
* Good for hiding your IDSes / logging daemons:)*/
</pre>

Anyway, i haven't talked much about my current work lately, so here goes. I have a gracld that is controled by gradm using gradm [-C][-A][-r] to calibrate/collect/recollect respectively. I have to have a working version of gracld by april 14th for work(http://www.cylant.com) so i am using internal source libraries but i hope to be able to still release the source code for it back to the community. The current project is broken down into several files:

<pre>
93 151 1127 gracld.h
1581 4276 34336 gracld-main.c
297 772 8666 gracl-parser.c
166 451 3047 gracl-parser-kernel.c
39 132 977 gracl-parser-kernel.h
141 416 2955 gracl-parser-user.c
27 73 630 gracl-parser-user.h
2344 6271 51738 total
</pre>
mwimer
 
Posts: 13
Joined: Mon Mar 04, 2002 1:54 pm

GR_PROC_FIND

Postby michaeld » Wed Apr 03, 2002 1:33 am

Find is done with an 'f' flag. I should have used
proper nomenclature in that GR_PROC_FIND enumeration.
When gracl checks for access, it simply does

p_mode = mode process is allowed for current file
mode = mode requested

if((mode & p_mode) == mode)

to check for proper privileges. So if something requests
hidden file access, the process must also have that flag.
If you look in other sectiosn there should be a GR_FIND
enumerated as GR_HIDDEN. Sorry if my explanation is
bad, here's an example:

if((GR_HIDDEN & process_mode_allowed) == GR_HIDDEN)
for process to be able to 'find' the file it must
have GR_HIDDEN in process_mode_allowed. For ease of use
and understanding I usually enumeratoe GR_FIND to be GR_HIDDEN
and say it has 'find' capabilities although the two are
equivalent. HOpe I helped

Michael
michaeld
 
Posts: 37
Joined: Mon Feb 25, 2002 12:32 am


Return to grsecurity development