cronjob RBACs

Submit your RBAC policies or suggest policy improvements

cronjob RBACs

Postby msprague666 » Wed Oct 14, 2009 8:29 am

Hi folks,

I'm curious if there is anything special when defining RBACs for cronjobs; specifically scripts in /etc/cron.daily. I have 2 (mlocate and ntp) that I cannot get a working RBAC for. I have tried specifying the paths I need in a subject for the script (ex /etc/cron.daily/ntp) which doesn't seem to work. I have done nesting for the commands I need (ex /etc/cron.daily/ntp:/bin/rm) but that also fails.

Would it be b/ run-parts is running the scripts and I need to start with the subject for run-parts and work my way down? Any advice is appreciated.

(debian lenny, grsecurity v2.1.14)

thanks,
Mike S
msprague666
 
Posts: 3
Joined: Wed Oct 14, 2009 8:19 am

Re: cronjob RBACs

Postby spender » Wed Oct 14, 2009 8:51 am

If nesting doesn't work it's probably because commands are getting executed with a shell as the intermediate step. Generally I just use inheritance rules in subjects for /etc/cron.daily etc.
In the error logs you should be able to see the parent process -- which may clue you in to how the nested subjects need to be set up.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: cronjob RBACs

Postby msprague666 » Wed Oct 14, 2009 9:14 am

Thanks Brad. The parent says '/etc/cron.d/mlocate' (in this case) and the call that is failing is to /bin/rm to remove the lock file. However, the call to rm is in a trap so I will try nesting with /bin/bash and see if that helps. Thanks for the quick response. I will post my results.

Thanks,
Mike S
msprague666
 
Posts: 3
Joined: Wed Oct 14, 2009 8:19 am

Re: cronjob RBACs

Postby spender » Wed Oct 14, 2009 9:38 am

You could also create an object with the inherit and execute flags on, and also set the execute auditing flag. Then you could get a trace of execution (with parent process for each)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: cronjob RBACs

Postby msprague666 » Fri Oct 23, 2009 2:59 pm

Hi folks,

I thought I'd post that I got it to work. Just using inheritance (/bin/rm rxi) was needed but what was odd is that I had to give more than delete access to the target file (/var/lib/mlocate/daily.lock). Once I gave it rwxcdl, it worked. :-)

M
msprague666
 
Posts: 3
Joined: Wed Oct 14, 2009 8:19 am

Re: cronjob RBACs

Postby spender » Fri Oct 23, 2009 9:05 pm

You should remove execute permissions for it; I'm quite sure it doesn't need it. It should only need rwcdl (as these lock files are often implemented through hardlinks)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development